When it
comes to cybercrime one does not necessarily have to be good to be successful
as is being demonstrated by the cryptomining campaign Vivin.
Cisco Talos
first came across samples of Vivin’s activity in November 2019, but upon
further research found this mining activity had been ongoing since at least 2017.
The fact it remained under the industry’s radar for so long enabling its operators
to mine thousands of dollars’ worth of Monero is curious because Vivin exhibits
poor operational security.
“Vivin makes
a minimal effort to hide their actions, making poor operational security
decisions such as posting the same Monero wallet address found in our
observable samples on online forms and social media,” Talos
wrote, adding that organizations need to be aware of bottom feeders along with
more sophisticated operations as there is still money to be made mining cryptocurrency.
The threat
actor also makes the same mistake of many people when it comes to protecting
their security and reuses the same or similar usernames for a number of online
accounts, including services used in the execution chains of the cryptomining
malware.
The malware
used is a variant of XMRig which is set up to use up to 80 percent of the
victim’s processing power for mining.
The Vivin
crew infects computers by posing their cryptominer as pirated software hoping to
lure a victim looking to save a few bucks. It also spreads a very wide net giving
the notion that creator is more interested in hitting a volume, as opposed to,
a few more lucrative targets.
“Many of the
samples are packed as self-extracting RAR files which extract and install what
appears to be the actual software and covertly drop malicious files. The
pirated software from our observed sample run contains a second stage payload
that is written to AppDataLocalTemp as “setup.exe.” Upon
successful execution, the observed samples dropped both a JavaScript
(“setup.js”) and VBScript (“dllm.vbs”) file to the victim
host’s AppDataLocalTemp and WindowsStart MenuProgramsStartup folders,”
Talos said.
Despite Vivin’s
seemingly lackadaisical attitude in opsec, the creators due take some
precautions. Talos found a fair amount of obfuscation and evasion techniques
employed, including actually downloading some of the expected pirated software.
For persistence it sets Windows Scheduler to to create the job
“anydesk” to execute setup JavaScript every 30 minutes.
