Cybersecurity researchers have uncovered a novel method being used by hackers to silently install crypto-mining malware on unsuspecting systems, using auto-reply emails to spread the malicious software. This stealthy tactic has been targeting companies, marketplaces, and financial institutions in Russia, with hackers looking to mine cryptocurrency, particularly Monero (XMR), by exploiting compromised email accounts.
How the Auto-Reply Vulnerability Works
The attack relies on auto-replies—automated responses from email accounts when the recipient is unavailable. These automated replies are typically used by businesses to acknowledge incoming emails, letting the sender know that the recipient is out of the office or temporarily unreachable.
Researchers from Facct, a threat intelligence firm, reported that hackers are using these auto-replies to distribute the XMRig miner (a tool used to mine Monero), which hijacks a victim’s system to mine cryptocurrency without their knowledge. The attack began targeting Russian entities from May 2024 onwards, and by the end of the month, researchers had identified 150 emails containing the malicious mining software. However, Facct’s business email protection system successfully blocked these malicious emails for their clients.
The Dangers of Auto-Reply Emails with Malware
What makes this attack method particularly dangerous is that victims initiate the communication. With typical mass phishing emails, recipients can choose to ignore messages that look suspicious. But with auto-replies, victims are already expecting a response from a trusted source, such as a colleague or business partner. This expectation lowers the likelihood of suspicion, making it easier for the attackers to deliver malware.
Dmitry Eremenko, senior analyst at Facct, explained that the automatic nature of these responses makes the malware delivery more subtle and effective. The compromised auto-reply email doesn’t have to be convincing because communication has already been established, and recipients are more likely to open attachments or follow links. As a result, the malicious file distribution often goes unnoticed.
What is XMRig?
The XMRig software is an open-source Monero (XMR) cryptocurrency miner, widely used for mining operations. While XMRig itself is legitimate, hackers have exploited it for malicious purposes by integrating it into their attacks. The malware takes advantage of vulnerabilities in systems to install the miner and hijack resources for mining digital assets without the knowledge or consent of the system owner.
XMRig has been a popular tool for cybercriminals since at least 2020, with various malware campaigns leveraging it:
- In June 2020, hackers deployed a malware strain called Lucifer, targeting outdated Windows systems to install XMRig.
- Later, in August 2020, a malware botnet called FritzFrog infected millions of IP addresses, targeting a wide range of institutions—including government offices, banks, and educational organizations—to deploy XMRig.
In these attacks, XMRig mines Monero, a privacy-focused cryptocurrency, which is harder to trace than more mainstream cryptocurrencies like Bitcoin. This makes it particularly appealing for hackers looking to profit from unauthorized mining operations.
Key Recommendations for Protection
To protect against these types of attacks, Facct emphasized the importance of cybersecurity training for employees. Organizations should regularly educate staff about current threats and best practices for maintaining security.
Moreover, it’s crucial for companies to implement robust password policies and enable multifactor authentication (MFA). These measures help reduce the likelihood that attackers can gain unauthorized access to email systems and spread malware.
In a previous interview, ethical hacker Marwan Hachem also advised using separate communication devices to isolate work from personal activities. This creates an additional layer of protection by reducing the risk of cross-contamination between different systems.
Conclusion
The exploitation of email auto-replies for spreading crypto-mining malware underscores the need for vigilance in email security. As hackers continue to innovate their attack methods, businesses and individuals alike must stay proactive in safeguarding against these emerging threats. Using MFA, conducting regular security training, and maintaining updated systems can help reduce the risk of falling victim to these stealthy attacks.
