WaterMiner Malware Author Can’t Keep His Mouth Shut on Social Media

Security News ThreatsCybercrime Uncategorized

A Russian-speaking malware author is currently busy spreading a Monero miner hidden inside gaming mods. The crook is using different usernames to spread the malware on forums for Russian-speaking users.

According to a Minerva Labs report shown to Bleeping Computer before publication, the malware is embedded inside a GTA V mod named Arbuz.

WaterMiner forum post

WaterMiner forum post

The mod contains a modified version of a legitimate Monero miner named XMRig, a tool popular with malware devs and recently found in two other mining malware campaigns, one detected by ESET and one by Radware (Codefork).

Someone tell 0pc0d3r what OpSec means

The malware distributed via the GTA V mod is named WaterMiner (Arbuz means watermelon in Russian) and the user behind it goes in most cases by the username of 0pc0d3r.

What makes this malware distribution campaign stand out is 0pc0d3r’s complete disregard for operational security (OpSec).

Minerva experts following the breadcrumbs left behind by this malware dev and feel confident they uncovered the malware author’s real-life identity — a young Russian man named Anton [redacted].

Minerva found Anton because 0pc0d3r is also the creator of other game mods, and even an auto-aiming bot to help players cheat. The user Anton [redacted] shared buy links to some of these files on his VK social media profile.

Anton on social media

When other users pointed out that he’s stealing and making money off 0pc0d3r’s tools, Anton was quick to reply that he is the tool’s author — 0pc0d3r.

Anton response

“From 0pc0d3r’s poor operational security (opsec), it is clear that we are not dealing with an experienced cybercriminal,” Minerva experts wrote in their report. “By following the activities associated with this alias, we discovered the possible identity of the person behind it.”

In hindsight, Anton’s OpSec is nowhere near as bad as DaddyL33T’s, a malware dev that used the same Skype ID to manage his botnet and apply for freelancing jobs.

WaterMiner — another copy-paste job, but a good one

As for the WaterMiner itself, researchers point out that this might be another case of a copy-pasting malware dev, similar to a campaign discovered by ESET late last month when a crook pieced together a basic Monero miner and made over $63,000 in a few months.

Evidence found in Anton’s malware suggests he might have also used some malware code previously shared on Pastebin.

Nonetheless, Omri Moyal, Co-Founder & VP of Research at Minerva Labs was impressed with WaterMiner, to some degree.

“The WaterMiner [malware] started without any environmental checks but rapidly (in two-three days) [the author] equipped the cryptominer with it to go undetected for longer periods,” Moyal told Bleeping in an email today.

Similarly, the malware also featured a solid registry-based persistence system, support for stoping all mining operations when users were debugging their systems via various apps, and even a to-do list with features Anton wanted to implement in the future.

Cryptocurrency mining is 2017 Q4’s biggest malware trend

All in all, Anton is just the latest arrival on the cryptocurrency mining malware scene that has been getting more crowded as we reach the end of the year.

This past Bleeping Computer article contains a list of this year’s major cryptocurrency mining malware campaigns, up to that point. Since that article, we’ve seen the rise of Coinhive and in-browser JavaScript Monero miners, and multiple other campaigns.

Just to name a few, security firm RedLock has recently observed crooks breaking into cloud servers and installing cryptocurrency miners, while security researcher Bart Parys has discovered a torrent file for Rick and Morty TV episodes that also spread a cryptocurrency miner.

“The current trend we are seeing is that there is a major increase in crypto mining malware in the past month or so,” Moyal told Bleeping.

“The current rate we were able to track is up to few hundreds new malicious cryptominers each day,” Moyal said. “I believe the media coverage this topic has been getting and the decrease in ransomware payout rates is the cause of what is pushing more malware authors to switch to cryptomining.”

Bleeping will update the article later today with a link to Minerva Labs’ WaterMiner report when it goes live. UPDATE: The report is live here.