In brief

  • A new update on an old Monero malware sees it stealing user credentials from victim computers.
  • The malware can also shut down other mining malware on infected computers and install its own.
  • Cryptojacking is a rising threat among both retail and enterprise computers.

Hackers have updated “Black-T,” a long-running Monero malware, to steal user credentials and take over any other illicit miners on a victim computer, according to a report by cybersecurity firm Unit 42. Such malware behavior was previously unseen.

Crypto malware typically infects computers and use the illicitly gained computing power to mine proof-of-work cryptocurrencies, such as Bitcoin but typically Monero, on behalf of the hackers. Such attacks—known as cryptojacking—are fairly common and are deployed across individual computing networks and whole enterprises.

But like everything in the computing world, there’s an update. Black-T can now find sensitive user information hosted on a victim computer and send it over to the hackers who may then use the illegally gained information for further attacks. These include, but are not limited to, passwords, online credentials, and bank account details.

Black-T uses a hacking tool called “Mimikatz” to scrape plaintext passwords from Windows OS systems, said the report. The tool also allows attackers to hijack user sessions, such as interrupting computer usage when a user is active. 

Seek and destroy...and install again

The credential theft update is not all. “Of these new techniques and tactics, most notable are the targeting and stopping of previously unknown cryptojacking worms,” said Unit 42 researcher Nathaniel Quist.

This means that if Black-T finds any computer already hosting a mining malware, it automatically attacks those files, disables the miners, and then in an almost non-benevolent fashion, installs its own cryptojacking program. 

Such a step allows a computer’s processing power to be fully used by Black-T (ensuring maximum gains for the hacker).

Another update on the cards

Quist said that the team behind Black-T may not be stopping with newer updates any time soon. “Unit 42 believes TeamTnT actors are planning on building more sophisticated cryptojacking features into their toolsets – specifically for identifying vulnerable systems within various cloud environments,” Quist noted.

Meanwhile, Unit 42 said protection against such attacks is relatively easy: Users must ensure no files with highly sensitive information are exposed to the internet and that threat software is fully updated and from a reputed brand.