Last year, we saw one of the more serious ransomware attacks in recent history thanks to WannaCry. Cybercriminals even adopted an 'as-a-service' model for their malware, in an effort to swindle folks out of even more money. But according to Kaspersky Lab researchers, that was by no means the singular source of income.
According to Securelist, Kaspersky Lab's 'cyberthreat research and reports' repository, cybercriminals took advantage of the crypto mining craze - which has led to ludicrous increases in GPU pricing - to make a little cash on the side.
While this has been achieved through malicious script execution in the browser or fake lotteries - which require participants to download and run number generators to participate -, another technique is process-hollowing.
In simple terms, a malware using the process-hollowing method will use a legitimate application as a sort of container to house the malicious code, and thus get through a system's defenses. This is the exact behavior observed by researchers, only on this occasion it involves cryptocurrency miners:
This miner installer drops the legitimate Windows utility msiexec with a random name, which downloads and executes a malicious module from the remote server. In the next step it installs a malicious scheduler task which drops the miner’s body. This body executes the legitimate system process and uses a process-hollowing technique (legitimate process code is changed to malicious). Also, a special flag, system critical flag, is set to this new process. If a victim tries to kill this process, the Windows system will reboot.
According to Kaspersky Lab's data, attacks of this kind increased nearly 1.5 times between 2016 (1.87 million) and 2017 (2.7 million). Furthermore, in the last six months of 2017, cybercriminals mining Electroneum have made in excess of $7 million. However, individuals are not the only ones targeted by these attacks, organizations are too.
One group was found to target big organizations with the end goal of getting into the corporate network and using the company's resources to mine cryptocurrency. This would be done via the use of domain policies to launch malicious scripts throughout the network. The scripts functioned like so:
This script has the following logic:
- After launching, it checks if this endpoint belongs to specific accounts, i.e. senior levels or information security officers. If it is true, then the script won’t execute the miner.
- This script also checks current date and time information. It will execute the malicious miner in non-working time.
Further evolution of these kinds of attacks is expected, with them making use of algorithms like Proof-of-Space (PoS), which is an idea along the same lines of Proof-of-Work (PoW). What PoW and PoS do is create a method to deter Denial-of-Service (DoS) attacks by requiring proof that the requester is legitimate. To that end, PoW allocates a certain amount of computational power (usually CPU), while PoS uses memory or storage space. Attackers employing the latter method in particular have another advantage:
The blockchain on the PoS algorithm is a very big decentralized anonymous data center that can be used to spread malware or illegal content. As a result, it can bring more damage. Data will be encrypted and no one will know where it is physically stored.
For protection, it is recommended that you do not click on suspicious ads or download software from untrusted sources.