New Cryptojacking Threat Spreads Across Brazil

Cryptojacking takes over MikroTik ISP-grade routers in Brazill. The problem could grow even further, presuming users do not update their firmware.

A new software, which mines Monero (XMR) without the user’s permission, has infected a lot of devices in Brazil, according to Simon Kenin, cybersecurity researcher at Chicago-based Trustwave who has discovered and analyzed the threat. The malicious miner uses the popular CoinHive script and a vulnerability in MikroTik routers.

Unlike other viruses, this one targets routers instead of individual PCs, Kenin wrote. MikroTik, the company whose devices were targeted, has patched the hole within a day of its discovery on April 23. However, many users have not updated to the latest version of the firmware and were targeted. It is hard to say how many routers are now vulnerable, but estimates go over 170,000 or even 200,000.

“[T]here are hundreds of thousands of these devices around the globe, in use by ISPs and different organizations and businesses, each device serves at least tens, if not hundreds, of users daily,” Kenin noted.

The threat has the potential to reach a global scale, presuming users do not update.

This is yet another case of malware, discovered by analysts since the beginning of August. Last week, a research on ZombieBoy showed an example of a slightly different approach - targeting servers and having a different mining solution.

The Brazil-oriented virus uses CoinHive, which is a popular JavaScript for Monero (XMR) mining. It even has an “ethical” version, which allows website administrators to kindly ask their users if they are fine with mining some coins while browsing. However, it is not used as often as the malicious one according to reports.

Kenin has also criticised the new malware’s operators for being a bit too careless with their broad approach. Unlike them, the people behind SamSam, were a way more sophisticated and had a very deliberate way of choosing their targets.