Old Miner, New Tricks
The FortiGuard Labs team has recently discovered a cluster of virtual private servers (VPS) used for Monero mining, which are associated with prior H2miner campaigns documented in 2020. The identified samples have been updated with new configurations, highlighting the continued threat posed by this crypto mining botnet.
The H2Miner campaign has been active since late 2019 and has been linked to various attacks, including Log4j (CVE-2021-44228) campaigns in 2021, Openfire (CVE-2023-32315) attacks in 2023, and Apache ActiveMQ (CVE-2023-46604) attacks also in 2023. The campaign has been known to use various tools, including Kinsing malware, which is a remote access trojan (RAT) commonly used to deliver crypto miners in compromised environments.
A new variant of the Lcryx ransomware, called Lcrypt0rx, has also been identified as part of this campaign. This family of ransomware exhibits several unusual characteristics that suggest it may have been generated using AI.
The Curious Case of Lcryx Ransomware
Lcrux is a relatively new VBScript-based ransomware strain first observed in November 2024. The family exhibits several unusual characteristics, such as the use of large language models (LLMs), which suggests that it may have been generated using AI.
The Lcryx family's unusual characteristics include:
- Unusual coding patterns and structure
- Use of LLMs to generate ransomware payloads
- Attempted deployment of multiple malware tools, including Stealer and RATs
- Failed attempts to exploit vulnerabilities in popular applications and services.
Impact and Mitigation
The H2Miner and Lcrypt0rx campaigns pose a significant threat to organizations, particularly those with cloud-based infrastructure. The campaign's use of Monero mining and the bundling of commercially available hack tools and infostealers expand its functionality beyond simple encryption.
Fortinet customers are protected from these threats through multiple layers of defense provided by the Fortinet Security Fabric and FortiGuard security services, including:
- FortiGuard Antivirus detects and blocks malicious VBScript loaders, PowerShell-based XMRig miners, shell scripts used by Kinsing, Trojans, and stealers
- Fortigate, Fortimail, Forticlient, and Fortiredr support the FortiGuard antivirus engine
- Lacework FortiCNAPP helps identify misconfigured cloud environments and runtime threats
- FortiGuard Content Disarm and Reconstruction (CDR) service removes embedded threats from weaponized scripts and files
- FortiGuard IP Reputation and Anti-Botnet Security Service blocks known malicious source IPs involved in mining operations, C2 activity, and dropper infrastructure.
Trends in Cybercrime
The commodification of cybercrime is a growing trend. With access to prebuilt tools, LLM-generated code, and cheap infrastructure, even low-skill actors can launch high-impact campaigns.
Fortinet offers free security awareness training through the NSE Training Institute to help strengthen organizational resilience against emerging threats like this campaign.
What You Can Do
If you believe your organization has been impacted by Lcrypt0rx or H2Miner, please contact the FortiGuard Incident Response Team. To stay informed of new and emerging threats, sign up for FortiGuard Threat Intelligence alerts.