January 15, 2020
It’s common knowledge that new cryptocurrency units come into existence through mining, a process of complex computation relying on CPU or GPU power. Unfortunately, this routine isn’t always done in an ethical way. Cybercriminals have masterminded numerous techniques to parasitize other people’s PCs and servers for generating coins surreptitiously.
The boom of rogue cryptomining (or cryptojacking) at the expense of unsuspecting users’ machines co-occurred with Bitcoin price reaching its peak in late 2017. Although the subsequent dramatic decline in its value brought many of these malicious campaigns to a halt, the predictions of the epidemic’s prompt end were premature.
New waves of cryptojacking have surfaced since the prices of popular cryptocurrencies started to gradually climb back up in 2019. To top it off, crooks are now utilizing novel techniques to masquerade their malware and monetize it. Their overhauled repertoire ranges from infecting airports and Docker hosts – to distributing booby-trapped WAV audio files and fake CMS plugins targeting different operating systems. Below are a few recent incidents that gave security analysts a heads-up.
Stealth Monero miner detected in an international airport’s systems
In mid-October 2019, researchers from security firm Cyberbit made an unsettling discovery when deploying their Endpoint Detection and Response solution in one of the European international airports. They found that more than half of the airport’s workstations were contaminated with a malicious variant of the XMRig Monero mining program. The infection had slipped below the radar of the antivirus tool running on the facility’s machines, but the behavioral analytics module built into the new protection software was able to identify the anomalous activity.
Although this malware lineage has been around for over a year, the experts realized they were dealing with its offshoot that underwent a number of tweaks to evade detection by traditional AV applications. Another new feature of the miner is that it uses PAExec, a tool based on Microsoft’s better-known PSExec service that allows threat actors to execute arbitrary processes on hosts remotely. The malicious operators leveraged this utility to gain a foothold within the network and run the harmful app with maximum privileges.
The malefactors also took advantage of the so-called Reflective DLL Injection technique to ensure fileless execution of the offending code, which means it runs entirely in memory and isn’t deposited onto the hard drives. This adds another layer of obfuscation to the attack. The original payload most likely arrived with a phishing email or drive-by download. The good news is that the malware impact was restricted to abusing the hosts’ CPU capacities to mine cryptocurrency and wasn’t aimed at disrupting the normal operation of the unnamed airport.
Unique cryptojacking worm targeting Docker hosts
For the record, Docker is a virtualization service used for hosting software and data in isolated repositories called containers. These frameworks are run by a single-engine and can have different configurations and structures while, technically, constituting the same software ecosystem.
Palo Alto Networks’ Unit 42 analysts recently came across an attack vector used to inject a cryptominer into thousands of vulnerable Docker containers.
This exploitation technique stands out from the crowd because the offending code dubbed Graboid has worm characteristics, which is a new thing in this segment of cybercrime.
The operators of this campaign identify unsecured Docker hosts by running a scan with Shodan or a similar search engine. Having accessed a target, they install and execute a malware-riddled Docker image. This entity mines for Monero cryptocurrency and reaches out to its Command & Control server once in a while to retrieve an updated list of other unprotected Docker services. The malware randomly selects the next victim and spreads itself to the new target via the Docker client utility that supports communication with other hosts.
Graboid behaves in a somewhat haphazard way. It pauses its cryptomining job on some compromised hosts while starting it on others. Therefore, each miner is up and running about 65% of the time, and the mining session lasts four minutes on average. This inconsistency allows malicious actors to hide the attack in plain sight. Another thing thwarting detection is that traditional security software doesn’t check for sketchy activity inside Docker containers.
Audio files carrying a cryptomining payload
Researchers at cybersecurity firm BlackBerry Cylance unearthed a highly evasive method of delivering cryptomining malware in October 2019. It uses benign-looking WAV files to spread a Monero miner without conspicuously raising any red flags.
The wicked architects of this campaign have found a way to pollute the data structure of regular audio tracks with the toxic payload. A victim may not notice any issues with the sound quality at all. Meanwhile, the embedded loader element decodes and launches a PE (Portable Executable) file in the background.
The resulting code is a variant of the XMRig Monero miner that siphons off the host’s CPU power. In many cases, the second-stage payload is a combo of the miner and penetration testing code called Metasploit. The latter can be used to access the compromised system remotely by establishing a reverse shell. Another serious concern is that such a mechanism of concealing harmful code inside any file format complicates detection as the underlying code manifests itself in memory only.
Trojanized WordPress plugin mining coins
Phony website plugins are nothing new. They are increasingly used for backdoor access to a compromised server, and in some cases, their purpose is to encrypt the materials on a site and hold them for ransom. Experts from Sucuri, a company providing website protection and monitoring services, have recently stumbled upon an all-new use case. They discovered a fake WordPress plugin that promotes a cryptominer codenamed Multios.
The malicious plugin is a copycat of “wpframework,” a WordPress component that hasn’t been updated for eight years. Although the original entity appears to be obsolete now in 2019, it is still being run on hundreds of sites based on the CMS in question. Therefore, numerous webmasters run the risk of unwittingly downloading the wrong variant of the plugin.
The perpetrators have added harmful functionality to the prototype, turning it into an instrument for unauthorized access to the admin dashboard. It additionally launches a Linux binary that sets cryptomining activity in motion. In light of this ongoing stratagem, the researchers recommend that WordPress site owners inspect their third-party plugins for suspicious activity.
Rogue cryptomining isn’t over. The cases above demonstrate that cybercriminals are evidently trying to think outside the box to get around the growingly effective detection techniques. The primary focus is on obfuscation of the malicious activity through the randomness of the mining process, fileless execution of the malware, and by masquerading the payloads as legit files.
Regardless of the tactics, all of these attacks share the same telltale sign of exploitation: sluggish system performance due to the high consumption of the processing power. This symptom continues to be the main giveaway, and therefore users should keep tabs on their CPU usage to identify the compromise at its early stage and stop it in its tracks.
David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy, and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.