Editorial & Advertiser disclosure

Global Banking & Finance Review® is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

McAfee Labs Sees Criminals “Infect and Collect” in Cryptocurrency Mining Surge

Published by Gbaf News

Posted on June 28, 2018

10 min read

Last updated: January 21, 2026

Add as preferred source on Google

Lawmaker Kim Leadbeater discusses UK's assisted dying law changes - Global Banking & Finance Review — Image of Kim Leadbeater addressing the media about proposed changes to the UK's assisted dying law, emphasizing the removal of High Court judge sign-off to enhance the legislative process.

Cryptocurrency Mining and Cryptojacking Offer Cybercriminals Lower Risk, Higher Efficacy, Ease of Monetization of Efforts; Adding Passive Exploitation to Portolio of Ransomware Extortion, Data Breach Theft, and Fraud

NEWS HIGHLIGHTS

McAfee Labs sees coinminer malware grow 629% in Q1 2018
Lazarus cryptocurrency campaigns steal bitcoins from financial sector and users
Gold Dragon targets Winter Games to steal data using fileless techniques
GhostSecret campaigns target healthcare, finance, entertainment, and telecommunications
Gandcrab ransomware infects around 50,000 systems in first three weeks of Q1
Total new LNK malware grows 59% as enhanced PowerShell techniques proliferate

Dubai, United Arab Emirates –McAfee, the device-to-cloud cybersecurity company, today released its McAfee Labs Threats Report: June 2018, examining the growth and trends of new malware, ransomware, and other threats in Q1 2018. McAfee Labs saw on average five new threat samples every second, including growth in crypto jacking and other cryptocurrency mining malware, and notable campaigns demonstrating a deliberate drive to technically improve upon the most sophisticate established attacks of 2017.

“There were new revelations this quarter concerning complex nation-state cyber-attack campaigns targeting users and enterprise systems worldwide,” said Raj Samani, chief scientist at McAfee.“Bad actors demonstrated a remarkable level of technical agility and innovation in tools and tactics. Criminals continued to adopt cryptocurrency mining to easily monetize their criminal activity.”

Cybercriminals extended their operations in crypto jacking and other cryptocurrency mining schemes, where perpetrators hijack victims’ browsers or infect their systems to secretly use them to mine for legitimate cryptocurrencies such as Bitcoin. This category of coinminermalware grew a stunning 629% in the first quarter of 2018, rocketing from around 400,000 total known samples in Q4 2017 to more than 2.9 million the next quarter. This suggests that cybercriminals are continuing to warm to the prospect simply infecting users’ systems and collecting payments without having to rely on third parties to monetize their crimes.

“Cybercriminals will gravitate to criminal activity that maximizes their profit,” said Steve Grobman, chief technology officer at McAfee. “In recent quarters we have seen a shift to ransomware from data-theft, as ransomware is a more efficient crime. With the rise in value of cryptocurrencies , the market forces are driving criminals to crypto-jacking and the theft of cryptocurrency. Cybercrime is a business, and market forces will continue to shape where adversaries focus their efforts.”

Bitcoin-stealing campaigns

The Lazarus cybercrime ring launched a highly sophisticated Bitcoin-stealing phishing campaign—HaoBao—which targeted global financial organizations and Bitcoin users. When recipients open malicious email attachments, an implant would scan for Bitcoin activity and establishes an implant for persistent data gathering and crypto mining.

Raj Samani, chief scientist at McAfee

Raj Samani, chief scientist at McAfee

Gold Dragon: Attacks on South Korea

In January, McAfee Advanced Threat Research reported an attack targeting organizations involved in the Pyeongchang Winter Olympics in South Korea. The attack was executed via a malicious Microsoft Word attachment containing a hidden PowerShell implant script. The script was embedded within an image file and executed from a remote server. Dubbed Gold Dragon, the resulting fileless implant encrypted stolen data, sent the data to the attackers’ command and control servers, performed reconnaissance functions, and monitored anti-malware solutions to evade them.

Hidden Cobra: GhostSecret and Bankshot

Operation GhostSecret targeted the healthcare, finance, entertainment, and telecommunications sectors. Operation GhostSecret is believed to be associated with the international cybercrime group known as Hidden Cobra. The campaign, which employs a series of implants to appropriate data from infected systems, is also characterized by its ability to evade detection and throw forensic investigators off its trail. The latest Bankshot variation of GhostSecret uses an embedded Adobe Flash exploit to enable the execution of implants. It also incorporates elements of the Destover malware, which was used in the 2014 Sony Pictures attack, and the Proxysvc implant, a previously undocumented implant that has operated undetected since mid-2017.

Security Incidents by Industry

McAfee Labs counted 313 publicly disclosed security incidents in Q1 2018, a 41% increase over Q4. Incidents involving multiple sectors (37) and those targeting multiple regions (120) were the leading types of incidents in Q1.

Disclosed incidents in healthcare rose 47%. Cybercriminals continued to target the sector with the SAMSA ransomware, and there were numerous cases in which hospitals were compelled to pay the criminals.
Incidents of attacks on the education sector rose 40%, with ransomware being a notable culprit in attacks on schools and related institutions.
Disclosed incidents increased by 39%, which included continuous attacks on the SWIFT banking system. These attacks were not always region specific, as was the case in previous years, but McAfee identified activity in Russia, and related reconnaissance efforts in Turkey and South America.

Other Q1 2018 ThreatActivity

In Q1 2018, McAfee Labs recorded, on average, five new malware samples per second, including threats showing notable technical developments improving upon the latest successful technologies and tactics to outmaneuver their targets’ defenses.

From PowerShell to LNK. While PowerShell attacks slowed from its 2017 surge, cybercriminals saw increases in exploits of other benign technologies. The total count of malware that exploits LNK capabilities surged 59% over the previous quarter.
From Locky to Gandcrab. Although the growth in new ransomware slowed by 32% in Q1 2018, the Gandcrabstrain infected around 50,000 systems in the first three weeks of the quarter, supplanting Locky ransomware variants as the quarter’s ransomware leader. Gandcrab uses new criminal methodologies, such as transacting ransom payments through the Dash cryptocurrency rather than through Bitcoin.
The total number of malware samples grew 37% in the past four quarters to more than 734 million samples.
Mobile malware. Total known malware samples grew 42% in the past four quarters. Global infections of mobile devices fell by 2%; Africa reported the highest rate, at 15%.

Cryptocurrency Mining and Cryptojacking Offer Cybercriminals Lower Risk, Higher Efficacy, Ease of Monetization of Efforts; Adding Passive Exploitation to Portolio of Ransomware Extortion, Data Breach Theft, and Fraud

NEWS HIGHLIGHTS

McAfee Labs sees coinminer malware grow 629% in Q1 2018
Lazarus cryptocurrency campaigns steal bitcoins from financial sector and users
Gold Dragon targets Winter Games to steal data using fileless techniques
GhostSecret campaigns target healthcare, finance, entertainment, and telecommunications
Gandcrab ransomware infects around 50,000 systems in first three weeks of Q1
Total new LNK malware grows 59% as enhanced PowerShell techniques proliferate

Dubai, United Arab Emirates –McAfee, the device-to-cloud cybersecurity company, today released its McAfee Labs Threats Report: June 2018, examining the growth and trends of new malware, ransomware, and other threats in Q1 2018. McAfee Labs saw on average five new threat samples every second, including growth in crypto jacking and other cryptocurrency mining malware, and notable campaigns demonstrating a deliberate drive to technically improve upon the most sophisticate established attacks of 2017.

“There were new revelations this quarter concerning complex nation-state cyber-attack campaigns targeting users and enterprise systems worldwide,” said Raj Samani, chief scientist at McAfee.“Bad actors demonstrated a remarkable level of technical agility and innovation in tools and tactics. Criminals continued to adopt cryptocurrency mining to easily monetize their criminal activity.”

Cybercriminals extended their operations in crypto jacking and other cryptocurrency mining schemes, where perpetrators hijack victims’ browsers or infect their systems to secretly use them to mine for legitimate cryptocurrencies such as Bitcoin. This category of coinminermalware grew a stunning 629% in the first quarter of 2018, rocketing from around 400,000 total known samples in Q4 2017 to more than 2.9 million the next quarter. This suggests that cybercriminals are continuing to warm to the prospect simply infecting users’ systems and collecting payments without having to rely on third parties to monetize their crimes.

“Cybercriminals will gravitate to criminal activity that maximizes their profit,” said Steve Grobman, chief technology officer at McAfee. “In recent quarters we have seen a shift to ransomware from data-theft, as ransomware is a more efficient crime. With the rise in value of cryptocurrencies , the market forces are driving criminals to crypto-jacking and the theft of cryptocurrency. Cybercrime is a business, and market forces will continue to shape where adversaries focus their efforts.”

Bitcoin-stealing campaigns

The Lazarus cybercrime ring launched a highly sophisticated Bitcoin-stealing phishing campaign—HaoBao—which targeted global financial organizations and Bitcoin users. When recipients open malicious email attachments, an implant would scan for Bitcoin activity and establishes an implant for persistent data gathering and crypto mining.

Raj Samani, chief scientist at McAfee

Raj Samani, chief scientist at McAfee

Gold Dragon: Attacks on South Korea

In January, McAfee Advanced Threat Research reported an attack targeting organizations involved in the Pyeongchang Winter Olympics in South Korea. The attack was executed via a malicious Microsoft Word attachment containing a hidden PowerShell implant script. The script was embedded within an image file and executed from a remote server. Dubbed Gold Dragon, the resulting fileless implant encrypted stolen data, sent the data to the attackers’ command and control servers, performed reconnaissance functions, and monitored anti-malware solutions to evade them.

Hidden Cobra: GhostSecret and Bankshot

Operation GhostSecret targeted the healthcare, finance, entertainment, and telecommunications sectors. Operation GhostSecret is believed to be associated with the international cybercrime group known as Hidden Cobra. The campaign, which employs a series of implants to appropriate data from infected systems, is also characterized by its ability to evade detection and throw forensic investigators off its trail. The latest Bankshot variation of GhostSecret uses an embedded Adobe Flash exploit to enable the execution of implants. It also incorporates elements of the Destover malware, which was used in the 2014 Sony Pictures attack, and the Proxysvc implant, a previously undocumented implant that has operated undetected since mid-2017.

Security Incidents by Industry

McAfee Labs counted 313 publicly disclosed security incidents in Q1 2018, a 41% increase over Q4. Incidents involving multiple sectors (37) and those targeting multiple regions (120) were the leading types of incidents in Q1.

Disclosed incidents in healthcare rose 47%. Cybercriminals continued to target the sector with the SAMSA ransomware, and there were numerous cases in which hospitals were compelled to pay the criminals.
Incidents of attacks on the education sector rose 40%, with ransomware being a notable culprit in attacks on schools and related institutions.
Disclosed incidents increased by 39%, which included continuous attacks on the SWIFT banking system. These attacks were not always region specific, as was the case in previous years, but McAfee identified activity in Russia, and related reconnaissance efforts in Turkey and South America.

Other Q1 2018 ThreatActivity

In Q1 2018, McAfee Labs recorded, on average, five new malware samples per second, including threats showing notable technical developments improving upon the latest successful technologies and tactics to outmaneuver their targets’ defenses.

From PowerShell to LNK. While PowerShell attacks slowed from its 2017 surge, cybercriminals saw increases in exploits of other benign technologies. The total count of malware that exploits LNK capabilities surged 59% over the previous quarter.
From Locky to Gandcrab. Although the growth in new ransomware slowed by 32% in Q1 2018, the Gandcrabstrain infected around 50,000 systems in the first three weeks of the quarter, supplanting Locky ransomware variants as the quarter’s ransomware leader. Gandcrab uses new criminal methodologies, such as transacting ransom payments through the Dash cryptocurrency rather than through Bitcoin.
The total number of malware samples grew 37% in the past four quarters to more than 734 million samples.
Mobile malware. Total known malware samples grew 42% in the past four quarters. Global infections of mobile devices fell by 2%; Africa reported the highest rate, at 15%.