Evolution of the crypto-mining botnet targeting Russian users for years
The boom in the cryptocurrency market naturally attracted the attention of many cybercriminals wanting to get their piece of the pie. To make money, they first created relatively simple trojans. These launched mining tools on infected computers and tried to conceal their presence in the system. Over time, the number of such threats grew, and they evolved. For instance, they began substituting the cryptocurrency wallet addresses copied into a clipboard.
However, far from all crypto-mining trojans, and, therefore, the cybercriminals who used them, were able to make a go of it. One of the most successful such malicious apps is a multi-functional miner, written in the AutoIt scripting language, that targets Russian users. By making constant improvements to the trojan and tinkering with how it was distributed, its author was able to build a botnet made of thousands of infected computers, which ultimately netted him a profit of several million dollars. In our presentation, we will trace the evolution of this botnet and its infrastructure, study its distribution channels, and learn which countermeasures it uses to prevent infections from being treated; we will also take a closer look at its ever-expanding functionality.
Mr. Ivan Korolev
Ivan Korolev joined Doctor Web in 2014 as a malware analyst and since 2019 has been working as a team leader for botnet research team. He is focused on analyzing targeted attacks, botnets and emerging threats. He likes to find vulnerabilities and participate in bug bounties in spare time.
Mr. Igor Zdobnov
Igor Zdobnov joined Doctor Web in 2002 as a malware analyst and since 2009 has been working as a chief malware analyst. He is leading different security projects inside the company, threat intelligence, threat detection and prevention. He is passionate in malware analysis, reverse engineering and building machine learning malware detection systems.