The Mal/Miner-C malware, also going by the name of PhotoMiner, has been detected targeting Internet-exposed Seagate Central Network Attached Storage (NAS) devices and using them to infect connected PCs to mine for the cryptocurrency Monero.

The malware appeared for the first time at the beginning of June this year. At that time, it was revealed that Miner-C was hitting FTP servers and self-spreading to new machines relying on worm-like features, which were brute-forcing other FTP servers using a list of default credentials.

The latest version of PhotoMiner is also relying on this technique but, according to Sophos`s security researchers, it is also taking advantage of a design bug in the Seagate Central NAS devices and copies itself in their public data folders.

These NAS devices are network-connected hard drives, which allow users to access files from the local network. The files can be accessed via the Internet as well, if the admin opens the NAS drive for remote access.

Sophos`s team explains that the NAS devices have a public folder, which is available for everyone, even non-logged or anonymous users. The folder can`t be deleted or deactivated and that’s why Miner-C is copying files to it on every device it can find.

One of the files it copies in the public folder is named Photo.scr, a script file that hackers have modified to use a standard Windows folder icon. However, Windows doesn’t show the extensions of the files and, when the user accesses their NAS, they see the file as a folder, misled by the icon.

While users think that double-clicking on the folder will open it, they are actually executing the Photo.scr file, which, on the other hand, installs the cryptocurrency mining app on the computer.

Miner-C uses a unique method of loading its config file and also has a modular structure made of different parts, which are able to perform different actions.

“Since it generates a new initialization file when it is launched, it helps the malware avoid security solutions. It also gives the botnet operators a chance to change the payload of the threat in the future, for example, dropping ransomware to the victim’s machine after the mining business is no longer profitable” – the Sophos team explains in a technical report.

At this point, Monero is one of the most lucrative cryptocurrencies when it comes to mining activity. Bitcoin has become more and more difficult to mine over the years until 2012 when it wasn’t an option anymore. Right now, the only way to mine Bitcoin is to use dedicated data centers and special hardware.

While Bitcoin mining has come to an end, Monero is one of the very few cryptocurrencies left, which can be mined with a regular computer. What it why the cybercriminals chose it for their main target.

Miner-C accounts for 70% of all infections against Seagate Central NAS devices available on the Internet, Sophos researchers reveal. They were able to find approximately 7,000 Internet-connected Seagate Central NAS devices, meaning the hackers have managed to infect 5,000 of them.

Sophos experts even managed to estimate the profit crooks had gained, which amounted to around $86,400 (€76,600). This calculation was possible thanks to the fact all the accounts to which crooks collect Monero are stored in the malware’s config file. With this profit, Miner-C is responsible for 2.5% on the entire Monero mining activity.

The worse news is that NAS devices` owners aren’t able to prevent such attacks in any way. Of course, turning off the remote access would suffice, but in this way, they wouldn’t be able to access the device from a distant location and this is one of the main reasons they have bought this hard drive.