The Hacker News Logo
Subscribe to Newsletter

Cyber criminals targeting another cryptocurrency 'Primecoin' with malicious miners

Cyber criminals targeting another cryptocurrency 'Primecoin' with malicious miners
Like Bitcoin, There are numerous other cryptocurrency similar in nature, including MasterCoin, ProtoShares, Litecoin, Peercoin, BitBar and many more.

One of them is Primecoin (sign: Ψ; code: XPM), a peer-to-peer open source cryptocurrency that implements a scientific computing proof-of-work system. Unlike Bitcoin or other virtual currencies, only Primecoin provides a proof of work that has intrinsic value. It generates a special form of prime number chains, known as ‘Cunningham chains & bi-twin chains’ and has a real world importance in mathematical research.

Worldwide famous RSA Encryption basically uses two prime numbers for generating a RSA key pair. If you are able to factorize the public key and find these prime numbers, you will then be able to find the private key. Thus, the whole Security of RSA encryption is based on the length of prime numbers. So, Primecoin plays a great role for crypto researchers to get large... and a very large number of Primes.

Like other cryptocurrency miners, Primecoin miners are also available and in simple terms, just put your computer to work to find prime numbers chain and make money.

After Bitcoin, the increasing public attention of other cryptocurrency did not go unnoticed by the Cyber criminals who have begun unleashing Primecoin mining malware.

Mehrdad Yazdizadeh, a security researcher from antivirus firm 'Panda Security' told The Hacker News that he has found few malicious Primecoin miners available on the Internet for Download from some Chinese websites and Torrents.
Cyber criminals targeting another cryptocurrency 'Primecoin' with malicious miners
"Primecoin miners are written in python and other scripting languages are using a variety of methods to infect the users' systems i.e. Brute-forcing, privilege escalation, modify SQL tables". He said.

Those infected systems can be used as a botnet network to perform further attacks. Another interesting feature of this malware is the ability to host SQL server through XP_cmdshell of MSSQL.

"On execution, the malware will inject the SQL server to cmd.exe, svchost.exe, explorer.exe and similar process to hide itself as rootkits" he added.
Cyber criminals targeting another cryptocurrency 'Primecoin' with malicious miners
Users affected by this malware will experience abnormally high CPU usage on their computers as a result of the infection.

Further analyses showed that the malware creates a process that call “sqlservr.exe”, pointing to another file i.e. “primecoin.conf”, which contains the credential and the IP address of the malware's master to communicate.

"Even if a user will delete sqlservr.exe or the conf folder, it will recover itself again and again. Also, malware is capable to enable the windows Guest account automatically" he said.

He found thousands of login (mostly failed to login) activities in a infected machine via the windows event, seems that Malware is facilitating the attacker to brute force the system user accounts for privilege escalation.
Cyber criminals targeting another cryptocurrency 'Primecoin' with malicious miners
He collected some of the attacker's IP addresses from where the brute-force attack was triggered:
59.53.67.154
59.53.67.154
59.53.67.13
58.218.199.248
58.218.199.248
23.91.24.39
23.228.193.83
23.228.193.82
222.78.223.84
222.214.218.50
222.163.193.37
220.178.30.230
220.178.30.230
220.178.30.230
216.99.158.69
216.99.150.238
Cyber criminals targeting another cryptocurrency 'Primecoin' with malicious miners
"I saw an attempt was made to reset an account's password. It tried to download more malicious files from other servers, " he said.

More features he noticed are:
  • Replicating itself through file systems
  • Killing the antivirus and security programs
According to the virus total report currently almost none of the Antivirus products are able to detect it:
Update: Mehrdad informed us that Panda Antivirus is now able to detect this malware. Users are advised to keep their system/networks behind the shield of Firewall/IPS/IDS and install 'Panda Cloud Cleaner' for remove this threat.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.