Mal/Miner-C, also referred to as PhotoMiner, is a malware variant that has been infecting Internet-exposed Seagate Central Network Attached Storage (NAS) devices and using them to infect connected computers to mine for the Monero cryptocurrency.
Security company GuardiCore, found that Miner-C was created in early December 2015. At the start of June 2016, researchers found that the malware variant was targeting FTP servers and spreading on its own to new machines thanks to worm-like features that attempted to brute-force other FTP servers using a list of default credentials.
Sophos Group, a security software and hardware company, says that recent Miner-C iterations are using a design flaw in the Seagate Central NAS devices to place a copy of itself on their public data folders. NAS devices are network-connected hard drives, that allow users to access files from the local network, but also via the Internet if the administrator chooses to open the NAS drive for remote access.
Attila Marosi, senior threat researcher at Sophos, found that Miner-C is copying files to this public folder on all Seagate Central NAS devices it can find. One of the files it copies is called Photo.scr, a script file that malware coders have modified to use a standard Windows folder icon.
“There is a folder Photo and a file Photo.scr (sadly, most of the Windows machines file extensions are not displayed), and it also has a deceptive icon that is intended to look like a typical Windows folder icon.
Anyone could be easily misled to double click on the file and cause the program to begin execution on the machine.” wrote Marosi in a report.
The malware variant has mined an amount of Monero currency that equals to a total wealth of 76,599 EUR so far. Monero is an open source cryptocurrency created in April 2014 that is focused on privacy, decentralisation and scalability. Unlike many cryptocurrencies that are derivatives of Bitcoin, Monero is based on the CryptoNote protocol and possesses significant algorithmic differences relating to blockchain obfuscation.