Analysis of T-Rex CoinMiner Attacks Targeting Internet Cafés in Korea
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
A series of attacks targeting Korean Internet cafés have been identified, focusing on systems with specific management software installed. The threat actor, active since 2022, uses Gh0st RAT for system control and ultimately installs T-Rex CoinMiner for cryptocurrency mining. The initial access method remains unknown. The attacks involve memory patching of management software and use of downloaders. The malware suite includes Gh0st RAT, its droppers, patchers, downloaders, and T-Rex CoinMiner. Unlike typical coin mining operations using XMRig for Monero, this actor employs T-Rex, likely due to the presence of high-performance GPUs in Internet café PCs. The attacks have been ongoing since late 2024, prompting responses from management software manufacturers.
OPENCTI LABELS :
gh0st rat,cryptocurrency mining,phoenixminer,gpu mining,t-rex coinminer
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
Analysis of T-Rex CoinMiner Attacks Targeting Internet Cafés in Korea