A new version of the Black-T Monero stealth mining malware can steal sensitive user data and disable other cryptojacking programs.
According to a report from cybersecurity firm Unit 42, hackers have updated Black-T, a long-standing malware for stealthy Monero mining, which can now steal user credentials and disable any other mining software on the victim’s computer.
Black-T is now capable of detecting sensitive information about a user residing on a computer and sending it to hackers who can use it for further attacks. This data includes, for example, passwords and bank account data. Black-T uses a tool called Mimikatz to extract unencrypted passwords from Windows systems. The tool also allows attackers to intercept user sessions, for example, interrupting computer use when the user is active.
“Of these new Black-T techniques and tactics, the most notable is the detection and termination of previously unknown cryptojacking programs,” said Unit 42 researcher Nathaniel Quist.
If Black-T gets on a computer that already has mining malware installed, it automatically attacks those files, disables them, and then installs its own cryptojacking program. This allows Black-T to fully exploit the computing power of the computer, providing maximum benefit to the hacker. Quist said the Black-T team will likely keep rolling out updates.
“Unit 42 believes TeamTnT hackers are planning to incorporate more sophisticated cryptojacking functionality into their toolkits – especially for identifying vulnerable systems across various cloud infrastructures,” Quist said.
Hackers who distribute cryptojacking programs most often choose Monero for hidden mining due to its anonymity. Last month, Tencent’s cyber security division discovered a new miner virus called MrbMiner. The virus infects Microsoft SQL servers for Monero mining.
In addition, in August, computer security experts from Guardicore Labs announced the discovery of a new botnet, FritzFrog, that scans addresses and hacks into servers for Monero mining.