What qualifies as nightmare news for many cryptocurrency owners—prices of most major tokens taking another dive into the gutter—seems to not be that big a problem for cybercriminals who hijack hardware resources to mine it on someone else’s dime.
The Microsoft 365 Defender research team recently reported that cryptojacking malware not only remains in widespread use, but is rapidly evolving.
While the number of cryptojacking malware detections seen by Microsoft has dipped significantly since April, Microsoft researchers wrote in a blog post that the company’s antivirus software continues to flag over half a million infections per month. At the same time, they added, the infections are getting more technically complex—often leveraging “living off the land” binaries (LOLBins), which are legitimate, developer-signed binaries with functions that can be abused by cybercriminals. LOLBins are typically difficult for antivirus tools to detect, as it’s not always easy to discern whether a given use of a binary is malicious or legitimate.
Cryptojackers are malware with one purpose: taking over an infected machine and stealing its computational resources to generate tokens like Bitcoin or Monero for their originator. Many cryptojacking cybercriminals target big fish like virtual machines connected to huge server farms, but another lucrative route is to go wide and infect tons of individual devices.
This type of attack typically relies on one of three methods: executables, browser-based scripts, or fileless methods that inject themselves into device memory and use tools like LOLBins, according to Microsoft. The first two are pretty easy to detect, but those fileless methods aren’t, and usually require that antivirus tools detect whether a certain piece of hardware has been activated in a suspicious manner. Many of these techniques utilize machine learning to assist in identifying suspicious activity.
Microsoft Defender relies on Intel Threat Detection Technology (TDT) to detect patterns in CPU usage associated with crypto mining, flagging anomalies for blocking on the software level.
“Through its various sensors and advanced detection methodologies, including its integration with Intel TDT, Microsoft Defender Antivirus sees cryptojackers that take advantage of legitimate system binaries on more than 200,000 devices daily,” the Microsoft research team wrote in the August blog post.
The most common binary that was misused was Notepad, the ubiquitous text editor that has shipped with every Microsoft operating system released since 1983. That accounted for 85% of the detections, followed by Explorer and addinutil.exe at 7% each and other binaries at just 1%. One of the Notepad-abusing tools, which the researchers said contained a cryptojacker named Mehcrypt, is distributed as an archive containing autoit.exe and an .au3 file, designed for storing scripts. When unpacked, the executable is triggered, deleting the original archive and copying its contents to another drive. It then gets to work raising CPU utilization as high as it can, the Defender team wrote:
After adding persistence mechanisms, the script then loads malicious code into VBC.exe via process hollowing and connects to a C2 server to listen for commands. Based on the C2 response, the script loads its cryptojacking code into notepad.exe, likewise via process hollowing.
At this point, as the threat starts its cryptojacking operation via malicious code injected into notepad.exe, a huge jump in CPU usage can be observed.
While measuring the true spread of cryptojacking isn’t possible—after all, security firms can only report the infections they detect—it’s clear that it isn’t going away. According to a July report by Tech Monitor, some high-profile ransomware gangs such as AstraLocker appear to have pivoted towards it as a way of continuing to make illicit profits without drawing as much attention from international authorities.
