The malware is known as Mal or Miner-C (spread as PhotoMiner among other targets) infects Seagate Central NAS devices and uses them to spread to other hosts. The miner then activates itself on the affected computers and uses the victim processing power to mine the Monero crypto currency.
Miner-C Acts Against Seagate Central NAS Devices
At the start of June, experts reported the appearance of Miner-C, also known as PhotoMiner or simply Mal. It targeted FTP servers and spread to further computers via its worm-like capabilities. The malicious code employed dictionary attacks to infiltrate the servers. Now security experts have uncovered a new attack campaign with Miner-C that specifically targets NAS devices made by Seagate.
The malware apparently takes advantage of a design flaw in the Seagate Central NAS series to craft a copy of itself on the public data share. The public folder is accessible to all users, including non-logged in ones and the feature cannot be deactivated by the system configuration. One of the files that Miner-C copies is called Photo.scr which is a script that the malicious developers have disguised as a standard Windows folder icon. When the users access the folder, they are running the malicious script. The cryptocurrency mining software is installed as a consequence.
The malware is modular by nature and uses a unique method of loading the configuration file. Upon launch, it generates a new initialization file which avoids detection by ordinary heuristic scans. This strategy also gives botnet operators the ability to change the payload in future campaigns. The crypto currency miner is used for mining the Monero currency which can be achieved using ordinary computers.
So far around 5000 Seagate Central NAS appliances have been infected with the malware which accounts for about 70% of all Internet exposes devices of this type. Financial estimates account that the criminals may have produced around 76 660 Euro.