The criminal group behind previous campaigns that have spread the VenusLocker ransomware have now switched their focus to delivering a Monero cryptocurrency miner instead.
The switch is not a surprise. Monero price has gone from $132 on November 21 to $457 today, December 21. That’s 3.4 times the price from a month ago.
In the past month, we’ve seen various cybercriminal campaigns switch their focus on delivering Monero miners —Zealot, Hexmen, Loapi, and this week’s massive brute-force attack wave that hit WordPress sites— and we expect to see more such attacks as Monero’s price continues to rise and gives attackers more reasons to hoard Monero.
Metadata links VenusLocker crew with current campaign
The malware distribution campaign originating from the VenusLocker crew only targets South Korean users, for the time being, according to Joie Silva, security researcher at Fortinet’s FortiGuard Labs.
Silva reported on a spam campaign that targeted users via a fake data breach alert for a South Korean online garment seller. The spam emails contained a file attachment, an archive hiding a malicious EXE file.
Hiding EXE files in archive files is nothing new, but this particular campaign stood out because the archive format was EGG, a proprietary file format popular in South Korea only. Most antivirus engines on VirusTotal are not able to decompress the EGG archive and spot the malware within.
The EXE installed XMRig, a legitimate Monero mining application, but pre-configured to mine funds for the VenusLocker crew.
Under normal circumstances, it’s very hard for security firms to identify when cyber-criminal operations switch malware payloads. This time, Silva says they were able to tie the Monero miner to past VenusLocker ransomware installers because the miner EXE had almost identical metadata and the same target paths as previous VenusLocker binaries.
VenusLocker ransomware was not a “success”
The group’s change of operations is not a surprise for Bleeping Computer. The Venus Locker ransomware was never at the center of mass distribution campaigns, and the ransomware never infected vast amounts of users in order to become profitable.
Overall, the ransomware was simplistic, being just another run-of-the-mill ransomware strain based on the Hidden Tear open-source ransomware kit.