Attackers are using a nasty piece of malware to infect Seagate storage devices and then jump to the PCs connected to the NAS devices and use the machines to mine the Monero open source cryptocurrency.
Researchers at Sophos, taking an in-depth look at the Miner-C malware, discovered that it is infecting large numbers of NAS devices made by Seagate. The malware isn’t designed specifically to go after these devices, but the researchers believe that the majority of Seagate Central NAS drives online already are infected by Miner-C. Once on a NAS device, the malware will move to the associated PC and then set up shop to mine Monero.
Miner-C emerged earlier this year, the researchers said, and it spreads mainly by infecting FTP servers that use default usernames and passwords. The malware then looks for other FTP servers with default credentials and goes from there. This isn’t new behavior from malware, but the twist here is that Miner-C is infecting the Seagate drives by taking advantage of the presence of a default public folder on the devices. Users can’t delete the folder, and if they make it available for remote access, anyone can add data to it, the Sophos researchers said.
After the malware is on a Seagate Central device, it adds a folder called Photos to the drive, which contains a file called photos.scr. If a user runs the file, the Miner-C malware executes.
“Anyone could be easily misled to double click on the file and cause the program to begin execution on the machine. Turning off the remote access can prevent the infection, but also means we lose the ability to access the device remotely,” Attila Marosi, a senior threat researcher at Sophos, said in a report on Miner-C.
“This threat is not targeting the Seagate Central device specifically; however, the device has a design flaw that allows it to be compromised. Most all of these devices have already been infected by this threat.”
After the Miner-C malware infects the PC attached to the Seagate Central drive it begins mining Monero, a cryptocurrency that’s designed to be untraceable and private. Marosi looked at the number of crypto coins that have been added to the attacker’s wallet and found that the attacker has made a tidy sum thus far.
“In this case, using only one wallet address, the mining pool sent 4913,5 XMR crypto coins to the criminal’s wallet. At the moment of the HTTP request, the accumulated hash rate of the infected machines was 33,370 hashes per second. If we iterate all the wallet addresses and calculate the full power of the network, then add the money they have already mined, we get this: moneropool.com has paid 58,577 XMR to them. At the time of the calculation the exchange rate from XMT to EUR is 1.3 EUR,” Marosi said.