The malware in question mines Monero (XMR) and is reportedly a modified version of one used by the so-called “Rocke” group, originally discovered by cybersecurity firm Talos in August last year. According to the research, one of the first things that the malware does is check for other cryptocurrency mining processes and add firewall rules to block any other cryptojacking malware.
The virus reportedly also searches for cloud security services by Chinese internet giants Tencent and Alibaba and neutralizes them in an attempt to remain concealed. Ryan Olson, vice president for threat intelligence at Palo Alto Networks explained:
“This evolution indicates that attackers who are compromising hosts operating in cloud platforms are now attempting to evade security products that are specific to those platforms.”
The virus also reportedly takes advantage of known vulnerabilities in older versions of Apache Struts 2, Oracle WebLogic and Adobe ColdFusion to infect the systems. Still, keeping the software updated to the latest version prevents the attack, according to the report.
As CryptoNewspeople reported in December last year, cryptojacking malware activity rose by over 4000 percent in 2018, according to a new quarterly report published by cybersecurity firm McAfee Labs.
According to another report published the same month, 415,000 MikroTik routers had been affected by cryptojacking malware at that time, double the number of infected devices since last summer.