DELL Secureworks has published an interesting report regarding a large-scale illegal dogecoin mining operation that has taken place since at least February of this year.
As early as February 8th of this year, computer users began to notice their Synology Network Attached Storage (NAS) boxes were performing sluggishly and had a very high CPU usage. As a result, investigations ensued and eventually a Facebook post, directed at Synology, was made. Ultimately, it was discovered that the cause of the excessive resource consumption was due to illegitimate software that had infected the systems, which ironically, was stored in a folder labeled “PWNED”.
Synology is a Taiwanese company that is known for the NAS (network-attached storage) systems. In these systems was a custom Linux-based operating systems called DiskStation Manager (DSM), which is reported to have had four vulnerabilities that allowed attackers to gain administrative privileges to the devices.
These vulnerabilities were widely reported on over the web, and as that happened, the Internet Storm Center reported a rise in the amount of connection to port 5000 — the default port Synology’s NAS devices listen on.
Upon analysis of samples in the aforementioned “PWNED” folder, there was found to be CPUMiner running behind the scenes:
This combination of parameters, coupled with the destination port (8332) screamed “Cryptocurrency”. Upon further investigation, we were proven correct in our assumption ‐ we found that the malware was CPUMiner, compiled specifically for the Synology platform.
Further research revealed that the devices were mining dogecoin for this address: D9cDqmVjYXdeDjMtXSV7Z3LgiHvRZ12bPX, along with one other.
In all, whoever was behind this attack managed to mine a whopping 500 million dogecoins, worth $620,494 USD between the two addresses used for the mining operation.
According to Secureworks, “this incident is the single most profitable, illegitimate mining operation,” despite the fact it’s not the first we’ve heard of such a thing.
In fact, it’s relatively common. Scores of PCs out there are infected with mining programs running covertly — even mobile phones.
And while we don’t know very much about the person/people who perpetrated this illegal dogecoin-mining botnet, Secureworks suggests the party is of German descent.
[textmarker color=”C24000″]Source/Images[/textmarker] DELL Secureworks