Security researchers at Sophos have discovered a new way that cybercriminals are distributing malware that makes money by "borrowing”"your computer to mine cryptocurrency. A paper signed by Attila Marosi, Senior Threat Researcher at Sophos, investigates the Mal/Miner-C malware, which criminals are using to mine the cryptocurrency Monero, a bitcoin-inspired cryptocurrency.

In this paper, Marosi examines how Mal/Miner-C quietly infects victims' computers and communicates with host servers to run mining operations covertly in the background.

Alone, one computer may not make a big impact on cryptocurrency mining, but the criminals aim to infect as many computers as possible with their malware so they can reap the cumulative financial reward from hundreds of thousands of infected computers.

Marosi investigates how NAS devices, including many made by Seagate, are used as a distribution server for the Mal/Miner-C malware, and explores the criminals’ mining activities and how much money this racket is potentially worth to them.

Researchers from security vendor Sophos made the discovery when they investigated a malicious program dubbed Mal/Miner-C, which infects Windows computers and hijacks their CPUs and GPUs to generate Monero, a bitcoin-inspired cryptocurrency.

With most cryptocurrencies, users can generate new units by devoting their computing resources to solving complex math problems needed to validate transactions in the network. This process, known as "mining," provides an incentive for attackers to hijack other people's computers and use them for their own gain.

The Sophos researchers found that Mal/Miner-C does not have an automatic infection mechanism and instead relies on users to execute the malicious program. As such, it is distributed via downloads through compromised websites, but also through open FTP servers.

Attackers scan for FTP servers that are accessible from the internet and attempt to log in with default and weak credentials or with anonymous accounts. If successful, they verify that they have write access on the server and copy the malware in all of the available directories.

This explains why Sophos counted more than 1.7 million Mal/Miner-C detections over the past six months from about 3,000 systems. Most of the affected systems were FTP servers that hosted multiple copies of the malware in different directories.

The researchers used an internet scanning engine called Censys to identify public FTP servers that allow anonymous access with write privileges. They found 7,263 such servers and determined that 5,137 of them had been contaminated with Mal/Miner-C.

Another interesting discovery was that many of those FTP servers were running on Seagate Central NAS devices. While this malware threat does not specifically target such devices, it turns out that Seagate Central's configuration makes it easier for users to expose insecure FTP servers to the Internet.

By default, the Seagate Central NAS system provides a public folder for sharing data, the Sophos researchers said. This public folder cannot be disabled and if the device administrator enables remote access to the device, it will become accessible to anyone on the Internet, they said.