Delaware, USA – May 23, 2018 – More than 300,000 computers became victims of the new cryptocurrency miner. Researchers from 360 Total Security recently discovered malware they named CurlSoftwareBundlerMiner: https://blog.360totalsecurity.com/en/
For now, this cryptocurrency miner is actively distributed bundled with freeware tools and key generators. It uses open source utilities wget.exe and cURL.exe to attack systems running Microsoft Windows. After getting into the system, the installer downloads a legitimate cURL utility and creates the scheduled task for it with specific parameters to download malware disguised as cURL. Malware is also added to scheduled tasks. After execution, it downloads and installs the browser and changes browser homepage. Then it downloads cryptocurrency mining component, which is signed with a digital signature to deceive antivirus solutions and is masked as a system process svchost.exe. CurlSoftwareBundlerMiner, like many other successful coinminers, targeted systems to mine Monero. It is not known how much this malware has brought revenue to its authors, and the campaign is still ongoing.
The installation of untrusted software on corporate systems can also lead to data leaks and ransomware attacks. To detect events related to antivirus disabling or crashing, you can use Sysmon Framework for ArcSight. Also, you can spot CurlSoftwareBundlerMiner traces with File Hash Analytics use case, which helps SIEM discover malware executables and pinpoint them to assets.