Incidents

Money from the cloud

Not so long ago we wrote (http://www.securelist.com/en/blog/208188132/Gold_rush) about cybercriminals using infected computers to generate virtual money via Bitcoin. A couple of days ago we discovered a malicious program called Trojan-Downloader.Win32.MQL5Miner.a which also uses the resources of infected computers, but this time to make money in MQL5 Cloud Network, a distributed computing network.

The MQL5 Cloud Network site

MetaQuotes is a developer of software for financial markets. Several weeks ago, information appeared on the net that the company was offering to pay users to participate in distributed computing. Apparently, this is what attracted malicious users to the new cloud service.

Google search results for the phrase: “MQL5 Cloud Network money”

There are grounds to believe that the malicious program spreads via email. Having infected a computer, the malicious program first determines if the operating system is 32-bit or 64-bit. It then downloads the appropriate version of the official software from MetaQuotes SoftWare. MQL5Miner then launches the service to participate in the cloud computing network. But the cybercriminals specify their own account data and receive the payments for any distributed computing operations that are performed on an infected machine.

A window from the legitimate MetaQuotes software

When it comes to making money, cybercriminals don’t miss a trick. That includes exploiting the resources of infected computers without their owners’ knowledge or consent.

We have notified MetaQuotes about the account being used by cybercriminals.

Money from the cloud

Your email address will not be published. Required fields are marked *

 

Reports

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox