Microsoft Report Details Different Forms of Cryptominers

  /     /     /  
Publicated : 22/11/2024   Category : security


Microsoft Report Details Different Forms of Cryptominers


A new report explores different ways legitimate and malicious coin miners are appearing in the enterprise.



The future of digital currencies may be ambiguous, but their effect on cybercrime is crystal-clear. Cryptocurrencies have changed criminals motivation and the nature of cyberattacks.
As consumers explored the new frontier of digital wealth, so too have cybercriminals and malware developers. Both the anonymity and sharp value increase of cryptocurrency appeal to threat actors, who have most notably used Bitcoin to extort funds from ransomware victims.
Criminal activity related to cryptocurrency has driven a surge in different forms of cryptocurrency miners, otherwise known as cryptominers or coin miners. Microsofts Alden Pornasdoro, Michael Johnson, and Eric Avena, all with the Windows Defender Research team, have published a new report on the rise of various coin miners and their enterprise presence.
Mining is the process of running complex mathematical calculations necessary to maintain the blockchain ledger, the researchers
explain
. Its not malicious, but it does require hefty computing resources to generate coins. Many people and businesses invest in the equipment to legitimately do it. Some people don’t want to make this infrastructure investment, and instead explore ways to use coin mining code to tap into the computing resources of somebody else’s devices.
For cybercriminals, this is a chance to build coin miners and use them nefariously. The researchers report digs into the details of coin mining malware, web-based mining scripts, and legitimate but unauthorized cryptomining applications, and how they are deployed and used.
Trojanized coin miners
Oftentimes, cybercriminals change existing cryptominers and drop them on target computers using malware, social engineering, and exploits. Between Sept. 2017 and Jan. 2018, an average of 644,000 machines encountered coin mining malware each month, Microsoft states. Some are more sophisticated than others, using exploits or self-distributing malware to spread.
The vast majority of attacks are financially motivated and based on the return-on-investment for attackers, says Kevin Epstein, vice president of Threat Operations at Proofpoint. As ransomware campaigns have proven less lucrative amid growing consumer awareness, many criminals are turning to cryptominers and integrating coin mining into Trojans to make money.
Exploit kits, once used to mainly deploy banking Trojans and, most recently, ransomware, are now used to spread coin miners. Researchers point to the example of DDE exploits: One sample of the malware is delivered as a malicious Word document that launches a PowerShell script and downloads a Trojanized version of Monero cryptominer XMRig. Some criminals use social engineering: one malicious file called flashupdate, disguised as Flash Player, also uses an altered version of XMRig. 
Once a coin miner makes its way onto a target machine, it aims to stay there.
For cryptocurrency miners, persistence is a key element, Microsoft researchers
explain
. The longer they stay memory-resident and undetected, the longer they can mine using stolen computer resources. Criminals use scheduled tasks, autostart registry entries, code injection, and other fileless techniques to maintain their presence by evading detection.
Browser-based miners
Some coin-mining scripts are hosted on websites, a trend also known as cryptojacking that has increased amid the interest in cryptocurrency. These websites mine coins using the computing power of people who visit. Some sites prompt visitors to run the script; others do not.
To keep people from leaving, some of these malicious sites host video streams. Researchers have also found tech support scam sites that double as coin miners. Visitors are distracted with pop-ups and stay on the site as criminals mine coins in the background.
Legitimate miners, illegitimate use
A growing enterprise problem is the presence of legitimate but unauthorized coin miners that people use in business environments because they dont want to use their resources at home. These drive energy consumption and costs, and are tougher for security teams to detect because they dont arrive through traditional infection vectors.
Microsoft reports in 2018, Windows enterprise users running potentially unwanted application (PUA) protection saw coin miners on more than 1,800 enterprise machines. The number is expected to increase as organizations keep a closer eye out for these programs.
PUAs are different from Trojanized miners, which are considered malware, and unwanted software, which are considered harmful because they change Windows without users control. PUA protection, enabled by default in the System Center Configuration Manager, can be configured by security admins with PowerShell cmdlets or Microsoft Intune.
Windows Defender antivirus blocks PUAs when users attempt to install programs meeting certain conditions, researchers explain. These mostly include software bundling programs, browser modifiers, and programs with poor reputations. They increasingly include coin miners, which made up 2% of PUAs in Sept. 2017 and 6% of PUAs in Jan. 2018.
Related Content:
Microsoft Remote Access Protocol Flaw Affects All Windows Machines
Malware Leveraging PowerShell Grew 432% in 2017
FlawedAmmyy RAT Campaign Puts New Spin on Old Threat
Chinese APT Backdoor Found in CCleaner Supply Chain Attack
Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the
security track here
. #InteropITX 2018 Early Bird Rates Expire March 16. Use Promo Code 200KS to Save an Extra $200.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Microsoft Report Details Different Forms of Cryptominers