Researchers Discover Sophisticated Cloud-Based Mining Malware Author: Jimmy Aki Last Updated: 06 April 2020 Cybersecurity researchers are shedding their light on Bitcoin and cryptocurrencies once more, as a new strain of malware that functions with Bitcoin miners have been found. In a report published earlier this month, cybersecurity firm Aqua Security confirmed that they’ve come to notice a new and persistent malware campaign that targets thousands of Docker systems and runs on a Bitcoin miner. A Massive Target Count The company’s report confirmed that it has been recording attacks for months now, as the malware’s operators have chosen to target several thousand victims in a day. The target rate has essentially surpassed what the firm has seen before, the post confirmed. Going even deeper, the firm identified that the malware is a Golang-based Linux agent that’s called Kinsing. It looks out for misconfigurations in Docker API ports, then uses them to expand its operations. The malware also runs an Ubuntu container, which downloads it and tries to propagate it to as many hosts as possible. The objective of the campaign is to deploy a crypto miner on a computer, thus enriching its owners. It does this by exploiting the vulnerability in the Docker port, then operating while also evading detection. Aqua’s study also showed some insights into the malware’s components, with the firm explaining that the campaign is a proper example of how cloud-native environments can be corrupted and taken advantage of. The firm pointed out that attackers are more sophisticated in their approach, and enterprise security teams will need to be more effective in developing threat mitigation strategies. The firm provided a few pointers to security teams, including the identification of all cloud-based resources that their clients use and grouping them into a logical structure. Authentication and authorization policies should also be properly reviewed, and basic security policies should be adjusted on the “least privilege” basis. Security companies can also look into logs to identify anomalous user actions and implement cloud security tools. Vollgar: The Silent Crypto Mining Malware Kinsing isn’t the only sophisticated malware that’s been making the rounds lately. Last week, Guardicore Labs announced that it had been able to identify a new mining malware strain that has been operating for up to 2 years. In a blog post, the firm identified Vollgar, a threat actor that mines Vollar, a little-known altcoin. The firm explained that the malware targets Windows machines that run on the MS-SQL servers – computers which, as it estimates, are only about 500,000 left in the world. While these servers are scarce, they’ve become especially famous for the massive processing power that they provide, as well as the ability to store valuable personal and financial information. Guardicore Labs explained that once Vollgar infects a server, it kills off the processes of other threat actors entirely, then it deploys multiple backdoors, crypto miners, and Remote Access Trojans. Attacks with the tool have come from over 120 IP addresses, although most appear to be localized in China. Giardicore also opined that most of these machines are corresponding with compromised machines and are being used to target more victims.