Cryptojacking is not dead yet | Decipher


The alleged value of cryptocurrencies may have taken a major hit in recent months, but that hasn’t stopped attackers from continuing to use cryptojackers to surreptitiously hijack victims’ processing power to mine coins.

Microsoft researchers were followed by some recent campaigns which abuse legitimate binaries on victim machines to remain persistent, rather than injecting malicious code into the browser or running a malicious executable on the target computer. Microsoft saw more than 500,000 machines with malicious cryptojackers consistently throughout the summer, and researchers say the campaigns don’t seem to be stopping.

Cryptojackers are small applications that hijack the processing power of victims’ computers in order to mine cryptocurrency. They have been around for over a decade and their popularity tends to rise and fall in concert with the value of popular currencies such as Bitcoin and Ethereum. Most cryptojackers aren’t outwardly malicious outside of using system resources without the user’s knowledge, but they can be conduits for other unwanted apps.

The campaign tracked by Microsoft’s 365 Defender research team uses the currently popular fileless approach to cryptomining, a less obvious tactic for security tools, but still uses a significant amount of processing power.

“We analyzed an interesting cryptojacking campaign abusing notepad.exe and several other binaries to run its routines. This campaign used an updated version of the cryptojacker known as Mehcrypt. This new version bundles all of its routines into a single script and connects to a command and control (C2) server in the last part of its attack chain, a significant upgrade from the older version, which ran a script to access its C2 and download additional components which then perform malicious actions,” the researchers said.

“The threat arrives as an archive file containing autoit.exe and a heavily obfuscated, randomly named .au3 script. Opening the archive file launches autoit.exe, which decodes the .au3 script into When executed, the script decodes multiple layers of obfuscation and loads additional decoded scripts into memory.

This campaign specifically abuses the notepad.exe binary which is ubiquitous on Windows machines and has become a popular target for cryptojackers. Because Notepad is always available and its presence in a list of running programs wouldn’t attract much attention, it makes it an attractive and convenient target. Actors behind this campaign maintain persistence by adding autostart registry keys that run a script each time the machine is started. The script connects to the remote C2 server and will then inject itself into notepad.exe when requested by the server. This starts the mining process, which in turn increases CPU usage.

“Executable and browser-based approaches involve malicious code present in the file system or website that can be relatively easily detected and blocked. The fileless approach, on the other hand, misuses local system binaries or pre-installed tools to exploit device memory. This approach allows attackers to achieve their goals without relying on specific code or files. Additionally, the fileless approach allows cryptojackers to be delivered silently and evade detection. This makes the fileless approach more attractive to attackers,” the Microsoft researchers said.

Many antimalware apps detect typical cryptojackers and cryptominers, but checking which apps are using valuable system resources and identifying anomalies can be another way to spot potential issues.


Comments are closed.