Researchers Discover Creative Cryptomining Assault

Overview

• Darktrace detected a new cryptomining assault leveraging NBMiner malware.
• This assault utilizes PowerShell and AutoIt for injecting processes within Windows.
• With the flourishing cryptocurrency market, cryptojacking incidents have surged.
• The malware connects to mining pools, targeting currencies such as Ravencoin.
• Detection methods are hindered by advanced evasion techniques.

Unveiling a Fresh Cryptomining Method

In a pivotal finding, Darktrace researchers have recorded the initial instance of NBMiner cryptomining malware that employs a PowerShell-based tactic to infiltrate legitimate Windows processes with malicious code. This attack was identified on a retail and e-commerce network, representing a fresh advancement in the cryptojacking landscape.

Chronicle of the Attack

The incident initiated when an infected desktop device accessed a dubious IP address. A PowerShell script named infect.ps1 was retrieved, serving as the primary dropper for the malware. The script was extensively obfuscated using Base64 and XOR encoded information, highlighting the attackers’ advanced programming capabilities.

AutoIt’s Contribution to the Assault

After decryption, the script generated a valid AutoIt executable located in the application’s data directory of the system. The malware utilized sophisticated evasion strategies, specifically targeting the Windows Character Map application to attain full memory access and circumvent conventional security protocols. These techniques underscore the attackers’ comprehensive knowledge of Windows environments.

Strategies for Evasion and Persistence

In order to remain undetected, the malware employed a variety of anti-sandboxing and privilege escalation strategies. It verified the presence of antivirus software, proceeding only if Windows Defender was the exclusive protection in place. It also tried to bypass User Account Control warnings to secure enhanced privileges.

Deployment of the Cryptominer

Within the authentic process, the payload for cryptomining was allocated in memory, decrypted, and executed, simulating legitimate operations. This tactic complicates detection for security tools reliant on process observation. The cryptominer linked to the asia.ravenminer.com pool, mining Ravencoin while concealing its activities.

Conclusion

This newly identified cryptomining assault exemplifies the escalating sophistication of cyber threats in the cryptocurrency domain. By employing advanced methodologies in PowerShell and AutoIt for process injection, attackers can effectively mask malevolent activities as legitimate, presenting substantial difficulties for detection and counteraction.

Frequently Asked Questions

Q: What distinguishes this cryptomining attack?

A: This attack is remarkable for its implementation of a PowerShell-oriented strategy paired with AutoIt to inject harmful code into lawful Windows processes, making detection more difficult.

Q: What is causing the rise in cryptojacking?

A: The increase in cryptojacking corresponds with the rapid expansion of the cryptocurrency market, offering lucrative prospects for attackers seeking to exploit illicit mining.

Q: In what ways does the malware avoid detection?

A: The malware employs tactics such as anti-sandboxing, targeting legitimate processes for memory access, and checking for antivirus systems to evade detection.

Q: What measures can organizations take to safeguard against these attacks?

A: Organizations should implement advanced threat detection technologies, frequently update security measures, and train staff to recognize suspicious behaviors.