Explore the website

Get email updates with every new article published

Looking for something?

No posts to display

Explore the website

Get email updates with every new article published

Looking for something?

No posts to display

Sunday, December 22, 2024

Tech News, analysis, updates, comments, reviews

Explore the website

Get email updates with every new article published

Cryptojackers and hackers

Microsoft’s antivirus software is flagging over half a million infections per month.

What qualifies as nightmare news for many cryptocurrency owners—prices of most major tokens taking another dive into the gutter—seems to not be that big a problem for cybercriminals who hijack hardware resources to mine it on someone else’s dime.

The Microsoft 365 Defender research team recently reported that cryptojacking malware not only remains in widespread use, but is rapidly evolving.

While the number of cryptojacking malware detections seen by Microsoft has dipped significantly since April, Microsoft researchers wrote in a blog post that the company’s antivirus software continues to flag over half a million infections per month. At the same time, they added, the infections are getting more technically complex—often leveraging “living off the land” binaries (LOLBins), which are legitimate, developer-signed binaries with functions that can be abused by cybercriminals. LOLBins are typically difficult for antivirus tools to detect, as it’s not always easy to discern whether a given use of a binary is malicious or legitimate.

Cryptojackers are malware with one purpose: taking over an infected machine and stealing its computational resources to generate tokens like Bitcoin or Monero for their originator. Many cryptojacking cybercriminals target big fish like virtual machines connected to huge server farms, but another lucrative route is to go wide and infect tons of individual devices.

This type of attack typically relies on one of three methods: executables, browser-based scripts, or fileless methods that inject themselves into device memory and use tools like LOLBins, according to Microsoft. The first two are pretty easy to detect, but those fileless methods aren’t, and usually require that antivirus tools detect whether a certain piece of hardware has been activated in a suspicious manner. Many of these techniques utilize machine learning to assist in identifying suspicious activity.

Microsoft Defender relies on Intel Threat Detection Technology (TDT) to detect patterns in CPU usage associated with crypto mining, flagging anomalies for blocking on the software level.

“Through its various sensors and advanced detection methodologies, including its integration with Intel TDT, Microsoft Defender Antivirus sees cryptojackers that take advantage of legitimate system binaries on more than 200,000 devices daily,” the Microsoft research team wrote in the August blog post.

The most common binary that was misused was Notepad, the ubiquitous text editor that has shipped with every Microsoft operating system released since 1983. That accounted for 85% of the detections, followed by Explorer and addinutil.exe at 7% each and other binaries at just 1%. One of the Notepad-abusing tools, which the researchers said contained a cryptojacker named Mehcrypt, is distributed as an archive containing autoit.exe and an .au3 file, designed for storing scripts. When unpacked, the executable is triggered, deleting the original archive and copying its contents to another drive. It then gets to work raising CPU utilization as high as it can, the Defender team wrote:

After adding persistence mechanisms, the script then loads malicious code into VBC.exe via process hollowing and connects to a C2 server to listen for commands. Based on the C2 response, the script loads its cryptojacking code into notepad.exe, likewise via process hollowing.

At this point, as the threat starts its cryptojacking operation via malicious code injected into notepad.exe, a huge jump in CPU usage can be observed.

While measuring the true spread of cryptojacking isn’t possible—after all, security firms can only report the infections they detect—it’s clear that it isn’t going away. According to a July report by Tech Monitor, some high-profile ransomware gangs such as AstraLocker appear to have pivoted towards it as a way of continuing to make illicit profits without drawing as much attention from international authorities.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Get notified whenever we post something new!

spot_img

Migrate to the cloud

Make yourself future-proof by migrating your infrastructure and services to the cloud. Become resilient, efficient and distributed.

Continue reading

Salesforce Flaw Allows Full Account Takeover

A critical vulnerability has been discovered in Salesforce applications, which could potentially lead to a full account takeover. The flaw was identified during a penetration test and is tied to misconfigurations within Salesforce Communities, specifically within the Salesforce Lightning...

Concerns about the ICT Bill 2024 in Kenya

THis post has been updated after the attention it is gannering. The original post can be found here: https://web.archive.org/web/20240813033032/https://blog.blancorpsolutions.com/kenya/concerns-about-the-ict-bill-2024-in-kenya/ Kenya's tech industry has been a beacon of innovation and growth, thanks in part to a regulatory environment that has allowed...

What are the real intentions of tracking IMEI numbers?

Imagine if you had a magic map that could show you where all your favorite toys were at any time. Sounds pretty? Well, in Kenya, the government wants to do something similar, but with people’s phones. They plan to...

Enjoy exclusive discounts

Use the promo code SDBR002 to get amazing discounts to our software development services.

Exit mobile version