{"id":58378,"date":"2018-01-24T10:00:41","date_gmt":"2018-01-24T18:00:41","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=58378"},"modified":"2026-06-11T15:27:29","modified_gmt":"2026-06-11T22:27:29","slug":"threat-brief-malware-authors-mine-monero-across-globe-big-way","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2018\/01\/threat-brief-malware-authors-mine-monero-across-globe-big-way\/","title":{"rendered":"Threat Brief: Malware Authors Mine Monero Across the Globe in a Big Way"},"content":{"rendered":"

In October 2017, Palo Alto Networks Unit 42 published research<\/a> showing how attackers were adapting attack techniques to generate cryptocurrency for themselves. In that research, we also showed how these attacks were very broad and grew very quickly.<\/p>\n

At the time, we said that the sudden, surging value of cryptocurrencies was likely behind the sudden, strong rise of these new attacks. We said that if cryptocurrency values continue to remain high, we could expect to see attackers continue to focus on finding ways to carry out attacks to gain cryptocurrency, and that those attacks would continue to adapt proven attack techniques.<\/p>\n

Unit 42 has just released new research showing that attackers are indeed continuing to adapt existing techniques to generate cryptocurrency.\u00a0 In our research posting \u201cLarge Scale Monero Cryptocurrency Mining Operation using XMRig<\/a>\u201d we detail a new malware campaign that is global in scale, very large in the likely number of victims and uses well established techniques to mine the Monero<\/a> cryptocurrency.<\/p>\n

\"Monero_brief1\"<\/span><\/div><\/p>\n

Monero is a cryptocurrency similar to bitcoin<\/a> but notable for its increased emphasis on providing a higher level of privacy around its transactions. Like bitcoin, Monero is generated through \u201cmining<\/a>\u201d a computationally intensive process that provides cryptocurrency credit in exchange for computing resources provided in service to the cryptocurrency and its transaction infrastructure.<\/p>\n

The operation that Unit 42 has recently uncovered works to deliver XMRig, software that is used to mine the Monero cryptocurrency, to victims\u2019 systems without their knowledge or consent. While XMRig isn\u2019t itself specifically malware, it\u2019s being delivered using malware-delivery techniques without the user\u2019s knowledge and consent just like malware. The attackers are doing this by using URL shorteners to make XMRig look like other, legitimate, and expected programs. This is a method attackers have used for years to deliver malware and they are using it now to get coinmining software on to people\u2019s systems illicitly.<\/p>\n

The attackers\u2019 use of URL shortners enables our Unit 42 researchers to get an idea of the size, scope, and scale of this operation. And these are all notable and sobering.<\/p>\n

First, this is a young campaign. Our research shows this operation to be only about four months old.<\/p>\n

Second, this is a very large campaign. Our researchers can show that about one-half of the samples we found have affected 15 million people worldwide. While we can\u2019t see how many people the other half of the samples affect, it\u2019s a reasonable supposition that the other half of the total samples affect just as many people as the half we can see. This would mean that this operation may affect about 30 million people worldwide.<\/p>\n

In terms of who\u2019s been affected by this operation, again, we can only see half of those who have been affected. But what we do see shows that this is a truly global operation. This operation affected countries around the globe, but it appears that southeast Asia, northern Africa, and countries in South America were hit the most as shown below.<\/p>\n

\"Monero<\/span><\/div><\/p>\n

Malicious downloads by country<\/em><\/p>\n

The specific breakout of countries affected, and their download counts are as follows:<\/p>\n

    \n
  1. Thailand \u2013 3,545,437<\/li>\n
  2. Vietnam \u2013 1,830,065<\/li>\n
  3. Egypt \u2013 1,132,863<\/li>\n
  4. Indonesia \u2013 988,163<\/li>\n
  5. Turkey \u2013 665,058<\/li>\n
  6. Peru \u2013 646,985<\/li>\n
  7. Algeria \u2013 614,870<\/li>\n
  8. Brazil \u2013 550,053<\/li>\n
  9. Philippines \u2013 406,294<\/li>\n
  10. Venezuela \u2013 400,661<\/li>\n<\/ol>\n

    Taking all those points together, this is operation is very large and clearly very effective. It shows how attackers are aggressively focusing their operations and campaigns on generating and acquiring cryptocurrency.<\/p>\n

    From a threat point of view, there are two things that are notable.<\/p>\n

    First is the fact that from an attack technique point of view, there is nothing new here. The tactics and techniques are not new or sophisticated.<\/p>\n

    Second is the fact that this operation is clearly very successful based on its size, scope, and age.<\/p>\n

    Looking at this latest operation on the continuum of evolving cryptocurrency-focused threats, it\u2019s clear that this is an early-stage threat given its lack of sophistication and reuse of established techniques and tactics. But given how quickly and broadly successful it is, combined with the continued high value of cryptocurrencies, we can also conclude that attackers will continue to focus on cryptocurrency and likely will evolve their techniques and tactics quickly. Cryptocurrency-focused threats is a key area that all defenders should focus their intelligence and prevention efforts around in 2018.<\/p>\n

    Meanwhile, see our full research blog<\/a> for full details on how attackers are distributing and using XMRig to generate Monero.<\/p>\n","protected":false},"excerpt":{"rendered":"

    Read this Unit 42 Threat Brief to get an overview of how attackers continue to adapt existing techniques to generate cryptocurrency. <\/p>\n","protected":false},"author":287,"featured_media":25785,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[10737],"tags":[4734,4728,5239,5236],"coauthors":[3069],"class_list":["post-58378","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-threat-intelligence","tag-coin-mining","tag-cryptocurrency","tag-mining","tag-monero"],"jetpack_featured_media_url":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2017\/03\/Linkedin.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/58378","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/287"}],"replies":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=58378"}],"version-history":[{"count":3,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/58378\/revisions"}],"predecessor-version":[{"id":58720,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/58378\/revisions\/58720"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/25785"}],"wp:attachment":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=58378"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=58378"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=58378"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=58378"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}