Amazon Cloud Is Being Used To Harvest Cryptocurrency By Hackers

by Kyle Perisic

Hackers are using malware hosted on Amazon’s cloud service to harvest cryptocurrency, according to a security software company.

The malware campaign, called “Xbooster,” has infected Windows operating systems and has harvested about $100,000 worth of the cryptocurrency Monero, according to Krishna Narayanaswamy, founder and chief scientist of Netskope — a U.S. company that helps companies use secure software-as-a-service (SaaS), Quartz reported on Tuesday.

“The attack kill chain used Amazon Web Services (AWS) and pay-per-install… model modus operandi,” wrote Netskope’s Ashwin Vamshi in a blog post on May 4. “Since the attack kill chain uses both the cloud and web, it makes it hard to detect the full scope of an attack and perform complete remediation.”

The hackers have targeted Monero, rather than the popular cryptocurrency Bitcoin, because of its privacy, speed, and mining capabilities.

Monero provides an “anonymous network layer applying privacy techniques to every single transaction,” Vamshi wrote. It produces cryptocurrency blocks “at an average of every 2 minutes, and Bitcoin blocks are produced at an average of  every 10 minutes.” Monero also “provides an egalitarian mining process and also the feasibility of CPU mining and browser-based mining for generating coins yielding a profitable revenue to its users.”

Windows users are tricked into clicking on a drive-by download, which is an unintended download without the user’s consent or knowledge, that downloads a Monero miner and a manager that connects to the server which delivers the cryptocurrency.

Cryptocurrencies have been on the rise ever since Bitcoin launched in 2009. Today there are almost 1,600 cryptocurrencies, according to Netskope.

“There are always newer ways of compromising machines,” Narayanaswamy said. “It’s amazing how many machines these threat actors manage to infect.”

“AWS employs a number of mitigation techniques, both manual and automated, to prevent the misuse of the services,” an AWS spokesman said in a statement. “We have automatic systems in place that detect and block many attacks before they leave our infrastructure. Our terms of usage are clear and when we find misuse we take action quickly and shut it down.”

Content created by The Daily Caller News Foundation is available without charge to any eligible news publisher that can provide a large audience. For licensing opportunities of our original content, please contact licensing@dailycallernewsfoundation.org