CyberWisdom Safe Harbor Commentary on Cryptojacking Mining Malware
High-profile data breaches and thefts are the cause of most of the losses in crypto-currency sector organizations, but another, more in-depth threat is the slow and steady consumption of cryptocurrencies: Malicious cryptography is also known as crypto-hijacking.
The program leverages end-user CPU/GPU processing capabilities through compromised sites, devices, and servers. This type of malware is implemented by the operator to make money on the victim’s back. In addition to the significant performance degradation victims will experience, mining can also cause the machine to consume large amounts of electricity and overheat to the point of failure, resulting in unexpected data loss, which can be difficult to recover. In one case in Russia, this overheating led to total firepower.
There seems to have been a precursor to many of the code that has plagued users and organizations for illegal cryptographic mining: a code base called XMRig that generates new descendants without any intent.
Cryptojacking Mining Malware Code reuse problem
The malware world can generate millions of different strains each year, infecting users with the same or very similar code. Code reuse often happens because malware developers do not need to reinvent the wheel.
The most notorious example in the bank Trojan world is the Zeus v2 source code, which was leaked in 2011 and used numerous times, either as such or as variations for different destinations or geographies. Some examples of Zeus codes are Zeus Pandas and Sphinxes, but the same DNA is also found in Atmos and Citadel. Some of these components, especially the injection mechanism, are described in many other bank trojans.
As the GM Bot code leaked in 2016, a similar code leak occurred in the mobile space and was subsequently reused. This source code stimulated the rise of many other mobile trojans, including Bankosy, Mazar and SlemBunk and many more. Another source code, BankBot, also leaked in early 2017, sparking more enemies and a second precursor to mobile malware.
Look at the Password Hijacking Arena, which started showing an increase in activity by mid-2017 and easily noticed that the name that has been repeating is XMRig. Although not malicious in itself, the unrestricted usability of the code made it widely popular with malicious agents who used it to illegally mine Monero cryptocurrencies.
Monero means “coin” in Esperanto, a decentralized cryptocurrency developed from a branch in the ByteCoin blockchain. The project itself is open source and crowdfunding.
Unlike the earlier piece of confidential information, Monero, launched in 2014, has easier digging and traceability of deals and has risen in value over time. Work Proof Algorithm CryptoNight supports computer or server CPUs, whereas bitcoin miners require relatively expensive GPU hardware for coin mining.
These features appeal to new legitimate miners, but they are also attractive to cybercriminals who want to make money without having to invest too much of their own resources. They resort to using malware or simply reprocessing XMRig to Monero.
Cryptojacking Mining Malware, XMRig: Malicious Monero Miner’s Choice
The Monero project does not support any specific tool, software or hardware for the miner. While at least three other codes are available, the popular choice for cybercriminals seems to be open source XMRig code.
According to the existing research on the malicious use of XMRig, it is very hard for black hat developers to make any changes to the original code. Past changes showed some changes to hard-coded command-line parameters that included the attacker’s wallet address and the pool URL, along with changes to several parameters that terminated all previously running XMRig instances to ensure that no one else Benefit from the same hardware. This range change may take a few minutes to complete.
Because it is an open source project, XMRig typically sends a 5% donation of the revenue earned from mining coins to the code’s wallet address. XMRig maliciously iteratively delete the fragment, the attacker to collect 100% of the loot.
Some examples of malware names that RubyMiner and WaterMiner derive from the XMRig code and appear in recent attacks.
These numbers are surprising in terms of the size of the XMrig-based miners’ attacks. In January 2018, the researchers identified 250 unique Windows-based executables for use in only one XMRig-based activity. The entire infection operation is populated from the cloud storage platform with its own download area, the target mining pool is hidden using the XMRig proxy service and even linked to the cloud-hosted cryptocurrency mining market, which connects the hash-capable seller and the buyer Maximize the attacker’s profits.
Fragile resource dilemma
Cryptojacking can happen on various types of devices and millions of users are infected with recent attacks. For malware, the goal is to successfully infect as many endpoints as possible, and an X-Force assessment of recent attacks shows that the threat actor will try to lock in any target for which free computing power is available. In addition to the more common endpoints or servers, cryptographic hijacking is observed:
A server vulnerability exists because many organizations still run obsolete systems and assets that are out of date, causing easy-to-find attacks and infecting them. What’s worse, our researchers think older servers that are not patched for some time are also less likely to be patched in the future, making them vulnerable to being reused and infected. These attacks are spreading into organizations, a recent report by IBM X-Force points out that network attacks on cryptocurrency CPU miners have increased sixfold.
Knowing that the industrial sector is running outdated operating systems and software makes it particularly vulnerable. In many cases, the internal infrastructure and operations networks of key infrastructures may open the door to risk. Although data loss is a problem for any organization, it can lead to life-threatening conditions in the factory.
Find and destroy
The world of password-stealing malware is rapidly evolving, and while the XMRig arrangement may continue to occur, there is also a threat of new code this year. Reducing the risks posed by known threats should be part of network health and safety management practices. While malware searches are often considered a nightmare, XMRig-based malicious code is easier because of its popularity in the wild.
Because XMRig is open source and is constantly being reused for attacks, security teams should consider controls that provide comprehensive protection and eliminate different iterations of this code. For those users running older servers and operating systems at higher risk of infection, safety best practices require minimizing risk, implementing compensation controls, and planning for timely upgrades to reduce risk.
Cryptocurrency is exploding all over the world, and so are attacks involving cryptocoins. From bitcoin to Ethereum and Monero, cybercriminals are stealing coins via phishing, malware and exchange platform compromises, causing tremendous losses to both consumers and businesses in the sector. High-profile data breaches and theft are responsible for the majority of losses to organizations in the cryptocurrency sector, but there is another, more insidious threat that drains cryptocurrency at a slow and steady rate: malicious crypto-mining, also known as cryptojacking. This scheme exploits end users’ CPU/GPU processing power through compromised websites, devices and servers. This type of malware is wielded by operators aiming to make money on the backs of their victims. Aside from the obvious performance degradation victims will experience, mining can cause machines to consume tons of electricity and overheat to the point of damage, causing unexpected data loss that may be hard to recover. In one case in Russia, this overheating resulted in a full-out blaze. Engaging post, Read More…
thumbnail courtesy of securityintelligence.com
If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post »