According to the Microsoft Threat Intelligence Center (MSTIC), cybercrime has begun to fund itself also thanks to the illegal mining of Monero (XMR).
This was revealed by a post published on Microsoft’s official security blog, which reveals how a criminal organization such as BISMUTH, defined in July as a “nation-state actor”, began to spread Monero miners in both the private sector and government institutions, particularly in France and Vietnam.
BISMUTH has been conducting complex cyber-espionage attacks since 2012 and mainly affects large multinational corporations, governments, financial services, educational institutions and human and civil rights organizations,
Each installed miner had a different public address, and earned over a thousand dollars during the various attacks.
In fact, the earnings only depend on how much computing power it can use, and for how long, so it is sufficient that they were installed on powerful machines, and run long enough, to produce significant revenue.
Monero’s mining can also be carried out using CPUs of normal computers or servers, and there have been several attacks by criminal organizations aimed at installing software on compromised machines that can exploit the computing power of infected machines to mine XMR.
In addition, the high level of privacy of Monero transactions makes it extremely difficult to track the movement of funds.
BISMUTH, Monero used for cybercrime
The ultimate objectives of this organization have remained the same, namely espionage and information theft, and the use of miners would be just another way to monetize the networks they have managed to compromise.
According to MSTIC, this use of Monero miners by BISMUTH would be unexpected, but consistent with the group’s methods.
It would also reduce the level of risk, because this type of attack is perceived as less alarming than those traditionally carried out by this organization.
Usually, these attacks begin with the sending of phishing or counterfeit e-mails or messages containing malware, which is why Microsoft recommends:
- Implementing appropriate filters on e-mails,
- Disabling macros,
- Restricting servers from making arbitrary connections,
- Educating users to reduce the risk of similar attacks.
It must be said, however, that it is rather difficult to defend oneself against similar attacks if a machine has been compromised, so as long as there are compromised devices it is to be expected that there will also be attacks of this kind that will produce more or less significant revenue for cybercriminals.