Cyber gangsters are using crypto mining malware to attack thousands of PCs, in some cases co-opting advanced persistent threat (APT) techniques and tools never before seen in mining attacks. Their aim is to haul in cryptocurrency, with one crew tracked by Kaspersky Lab researchers grabbing $7 million by infecting thousands of PCs with miners.
Side note: Word surfaced over the weekend that 600 bitcoin mining computers had been stolen from data centers in Iceland, in what a local police commissioner described as a “grand theft on a scale unseen before.” Although 11 people have been arrested in four burglaries -- three of which took place last December and a fourth in January -- the computers, said to be worth $2 million, haven’t been located. The thieves could potentially increase their bounty if they use the computers as they were intended to create new bitcoins, the Associated Press reported.
Back again: In September 2017, Kaspersky noticed the number of miners rapidly increasing and spreading globally. The security provider said it recently identified a cyber criminal outfit with APT techniques in their arsenal of tools to infect users with miners. They have been using process-hollowing usually seen in targeted malware attacks of APT bad actors but not previously observed in mining attacks, Kaspersky said.
What Is Process Hollowing?
Process hollowing is a technique used by hackers to skirt defenses and avoid detection, in which a legitimate process is loaded on a system solely to act as a receptacle for malicious code. Because the miner operates disguised as a legitimate task it makes it impossible for a user to detect a mining infection and difficult for security solutions to identify the threat.
Despite the variability of the cryptocurrency market, last year’s spike in bitcoin value, which ballooned more than 20 times to about $20,000, showed its potential to affect global economics. By Kaspersky’s measure, some 2.7 million users were attacked by malicious miners in 2017, roughly 50 percent higher than the 1.9 million hit in 2016. Cyber criminals used adware, cracked games and pirated software to quietly infect their victims’ PCs. The most widely used web miner was CoinHive, which Kaspersky discovered on a large number of popular websites.
Here’s how the attack works:
- The victim downloads and installs ad software with the miner installer hidden inside.
- The installer drops a legitimate Windows utility, with the main purpose of downloading the miner itself from a remote server.
- A legitimate system process starts and the legitimate code of this process is changed to malicious code.
- The miner operates under the guise of a legitimate task making it impossible for a user to recognize if there is a mining infection and challenging for security solutions to detect the threat.
- If the user tries to stop the process, the computer system will reboot, enabling hackers to remain in the system for a longer and more productive time.
“We see that ransomware is fading into the background, giving way to miners,” said Anton Ivanov, Kaspersky’s lead malware analyst. “This is confirmed by our statistics, which show a steady growth of miners throughout the year, as well as by the fact that cybercriminals groups are actively developing their methods and have already started to use more sophisticated techniques to spread mining software. We have already seen such an evolution – ransomware hackers were using the same tricks when they were on the rise.”
How to Avoid Crypto Mining Malware Attacks
Kaspersky has offered some recommendations for users and organizations to stay protected. Here’s what users should do:
- Don’t click on unknown websites, or suspicious banners and ads.
- Don’t download and open unknown files from untrusted sources.
- Install a reliable security solution that detects and protects from all possible threats, including malicious mining software.
And, here’s what organizations should do:
- Carry out a security audit on a regular basis.
- Install a reliable security solution on all workstations as well as servers, and make sure all components are enabled to ensure maximum protection.
Kaspersky intends to present its full findings on crypto mining and cryptocurrency threats at the Security Analyst Summit on March 9, 2018, in Mexico.
Meanwhile, Kaspersky has appointed Maxim Frolov, a 20-year IT veteran, as vice president of global sales, effective immediately. Frolov previously served for two years as Kaspersky’s managing director for the Middle East, Turkey and Africa region. In his new job, Maxim is charged with overseeing sales across consumer, digital, SMB, enterprise and xSP products and services. He reports directly to Alexander Moiseev, Kaspersky’s chief business officer.