CB’s Threat Analysis Unit (TAU) launched its latest report on the rise of a new cryptomining tactic that has already affected at least 500,000 machines globally, 60% of victims from APAC.

Carbon Black’s Threat Analysis Unit (TAU) has launched its latest report on the evolution of a  cryptomining tactic that has already affected at least 500,000 machines globally, of which 60% of its victims derived from the Asia-Pacific region. By some estimates, hackers could theoretically pull in US$1.6 million annually by leveraging this attack model, which began about two years ago due to cryptocurrency market fluctuations and high availability of open source attack tools.

The tactic, dubbed “Access Mining” by Carbon Black researchers, is when an attacker leverages the footprint and distribution of commodity malware, such as a cryptominer, and uses it to mask a hidden agenda of selling system access to targeted machines on the dark web. This method could pave the way for more dangerous and far-reaching attacks, with the advanced combination of tactics allowing attackers to draw profit streams from both cryptomining and system access auctions on the darknet.

The discovery was made during an investigation of a well-known cryptomining campaign, Smominru, which uncovered sophisticated, multi-stage malware that was sending detailed system data to a network of hijacked web servers, presumably for the purposes of resale on one (or many) remote access marketplaces across the dark web. CB TAU found that threat actors had evolved their cryptomining capabilities with additional tools for collecting and exfiltrating sensitive information running on compromised infrastructure.

“This discovery demonstrates how virtually any company could be leveraged in a targeted attack—even if that company lacks a worldwide brand, known intellectual property assets, or a Fortune 1000 listing,” the researchers said. “Access Mining represents a scalable and economical approach for an adversary to find valuable targets.”

The full report, entitled Access Mining, outlines how a well-known cryptomining campaign has been enhanced to steal system access information for possible sale on the dark web.

Among the report’s key findings:

At least 500,000 machines were affected

60% of victims were derived from the Asia Pacific region, and the rest were from Russia and Eastern Europe.

Threat actors are increasingly using repurposed tools, modified exploits and stolen infrastructure

Previously, this threat actor used a modified version of XMRig to perform Monero mining, yet now, this research showed that the group now uses readily available malware and open source tooling which have been modified for purposes to pivot from infected systems and expand their campaign’s reach.

Rapid evolution thanks to open source exploits

Modified versions of Cacls, XMRig and EternalBlue were used in this investigation. Researchers found that obtaining the bulk of the code via open source sites likely sped up the innovation to Access Mining.

Combining commodity malware with access-for-sale is lucrative at scale

The business model for Access Mining typically combines a profit stream from cryptomining with a profit stream from selling system access. Both can be highly lucrative (from some estimates on the latest discoveries, profit can be as much as $1.6 million annually) if done at scale.