According to the FortiGuard Labs team, an attack was observed targeting South Korea, which arrives via phishing emails using a variety of social engineering contexts. One variant pretends to be from a South Korean online garment seller who falsely claims that the recipient’s information from their website has been leaked due to a website hack. Another variant we found threatens that the recipient’s website is legally liable for images being abused without consent. It then recommends that the recipient open the attached file to check the images in question.
“And of course, the email explains that the (infected) attachment should be opened for more details and instructions,” said Joie Salvio, researcher at Fortinet, in an analysis. The attachment instead begins the process of infecting the target with Monero-mining malware.
Further analysis revealed that the mechanics of the payload matches the scheme used by VenusLocker in the past.
“To confirm this assumption, we had to take a closer look at the shortcut files’ metadata, and sure enough, we found a direct relation to the ransomware,” said Salvio. “Aside from the target paths, the shortcut files used during the VenusLocker ransomware period are practically identical to the ones being used in this campaign.”
It could be that this switch in focus from ransomware to crytocurrency mining is the start of a new trend for the coming year, thanks to cryptocurrency values being more enticing than ever. Monero, an open-source cryptocurrency created in April of 2014, was trading at around $400 at press time.
“With the security industry’s constant effort to combat ransomware, the ability for cyber-criminals to successfully encrypt user files should no longer be a cake walk,” said Salvio. “For instance, this past October, Microsoft added a Controlled folder access feature to Windows Defender Security for Windows 10 users to prevent malicious (or unexpected) alteration of important files. Features such as this can effectively thwart ransomware attacks. Which is probably part of the reason why the threat actors behind VenusLocker decided to switch targets.”