Cybercriminals have started using sophisticated infection methods and techniques borrowed from targeted attacks in order to install mining software on attacked PCs within organizations, according to Kaspersky Lab researchers.
The most successful group observed by Kaspersky Lab earned at least $7 million by exploiting their victims in just six months during 2017.
Kaspersky Lab researchers recently identified a cybercriminal group with APT-techniques in their arsenal of tools to infect users with miners. They have been using the process-hollowing method that is usually used in malware and has been seen in some targeted attacks of APT actors, but has never been observed in mining attacks before.
The attack works in the following way: the victim is lured into downloading and installing an advertisement software with the miner installer hidden inside. This installer drops a legitimate Windows utility, with the main purpose being to download the miner itself from a remote server.
After its execution, a legitimate system process starts, and the legitimate code of this process is changed to malicious code. As a result, the miner operates under the guise of a legitimate task, so it will be impossible for a user to recognize if there is a mining infection.
It is also challenging for security solutions to detect this threat. In addition, miners mark this new process through the way it restricts any task cancellation. If the user tries to stop the process, the computer system will reboot. As a result, criminals protect their presence in the system for a longer and more productive time.
Based on Kaspersky Lab’s observations, the actors behind these attacks have been mining Electroneum coins and earned almost $7 million during the second half of 2017, which is comparable to the sums that ransomware creators used to earn.
Overall, 2.7 million users were attacked by malicious miners in 2017, according to Kaspersky Lab data. That is approximately 50% higher than in 2016 (1.87 mln).
In order to stay protected, Kaspersky Lab recommends that users do the following:
Don’t click on unknown websites, or suspicious banners and ads;
Do not download and open unknown files from untrusted sources;
Install a reliable security solution that detects and protects you from all possible threats, including malicious mining software.
For organizations, Kaspersky Lab recommends the following:
Carry out a security audit on a regular basis
Install a reliable security solution on all workstations and servers and make sure all its components are enabled to ensure the maximum protection. Kaspersky Lab customers are
protected with Kaspersky Endpoint Security for Business.
More information on miners’ activities can be found on Securelist.com