[ad_1]
Written by Joe Warminsky
Sometimes a sneaky Monero miner is more than just a sign of a scammer.
This summer’s cyber-espionage campaigns in France and Vietnam implemented cryptocurrency mining software on victims’ networks to help divert attention from hacker spying tools, Microsoft says in a new report.
The company’s Threat Intelligence Unit blocked activity on an Advanced Persistent Threat (APT) group called Bismuth, more commonly known as APT32 or OceanLotus.
“Recent campaigns by nation-state actor BISMUTH exploit the low-priority alerts that coin miners cause to try to fly under the radar and establish persistence,” the researchers say in a report released Monday. In this case, the coin miners have collected Monero, a cryptocurrency with a reputation for being more difficult to track than other digital coins.
The hacker group – which other cybersecurity researchers have linked to the Vietnamese government – has developed new techniques for breaking into computers and hiding its activities. Trend Micro researchers last week reported updating a backdoor targeting Apple laptops and desktops.
In this case, mining probably brought the group a few thousand dollars in cryptocurrency, but the real value was in its skill.
“After implementing coin miners as a distraction technique, BISMUTH has focused much of its efforts on credential theft,” says Microsoft.
Vietnam-related hackers are generally interested in high-value information from corporations, governments, educational institutions, and human and civil rights organizations, particularly in Southeast Asia and Vietnam itself. In this case, Microsoft states that “there were some commonalities between the Vietnam-based targets that Microsoft assessed to be related to their previous designation as a state-owned enterprise (SOE).”
That list includes “former SOEs previously operated by the government of Vietnam, entities that have acquired a significant portion of a former SOE, and entities that conduct transactions with a Vietnamese government agency,” Microsoft says. These could be associated with French objectives, given the long-standing ties of the two countries.
The spying campaigns took place in July and August, Microsoft says, and began with spearphishing emails that showed clear knowledge of the targets.
The emails were “created specifically for a specific recipient per target organization and showed signs of previous recognition. In some cases, the group even matched the goals, creating even more credibility to persuade the targets to open the attachment. and start the chain of infection, “say the researchers.
Once inside, the group used techniques familiar to cybersecurity researchers, including Cobalt Strike and the Mimikatz malware, the researchers say.
