Cryptomining continues to gain traction as security researchers discovered an installer for a Monero miner (detected by Trend Micro as TROJ_COINMINER.JA and TROJ_COINMINER.JB) intended to transmit the cryptocurrency to Kim Il Sung University (KSU), North Korea. Meanwhile, a Reddit user found a Monero miner in the BlackBerry mobile website, which is owned by TCL Communication Technology Holding.
Both the address of the Monero wallet and the password it uses were detailed in the analysis of AlienVault. It also revealed barjuok.ryongnamsan.edu.kp as the server the miner contacts. The use of this domain points server's location at KSU.
When the installer for the Monero miner in KSU is run, it will copy a file named intelservice.exe to the system—a common task for cryptocurrency mining malware. Based on its code, it appears to be a piece of software called xmrig, a program associated with campaigns exploiting unpatched IIS servers to mine Monero. The security researchers noted that while the author/s of the software is found at KSU, they might not necessarily mean they are North Korean since KSU an open university, and have a number of foreign students and lecturers. In addition, the link to the university doesn’t work, which means the installer cannot send mined coins back to its author.
On the other hand, a Reddit user posted about the existence of CoinHive cryptocurrency miner code found in BlackBerry’s mobile website. The miner uses visitors’ CPU processing power to mine for the Monero currency when they visit www.blackberrymobile.com. The aforementioned global website is the only one affected by the miner.
CoinHive jumped in on the Reddit thread to apologize for the misuse of their service, and said that this specific user seems to have exploited a security issue in the Magento webshop software (and possibly others) and hacked a number of different sites. “We have terminated the account in question for violating our terms of service,” Coinhive added.