Ransomware Is One Of The Most Dangerous And Lucrative Cyber Attacks. In This Type Of Attack, The Victim’s Information And Files Are Encrypted, And In Exchange For A Ransom, The Decryption Key Is Given To The Victim. 

Cryptocurrency Attack, another attack vector, is more dangerous than ransomware and targets the victim system’s processing power instead of encrypting the information. In this attack, hackers exploit the processing power of the computers visiting the website and extract the currency password by infecting the websites with malicious code.

What is cryptocurrency?

Cryptojacking means the misuse of people’s computers and smart devices to extract currency cryptocurrencies. To carry out this attack, hackers send malicious links to people via email or social networks. When the victim clicks on the malicious link, the code for extracting the cryptocurrencies is stored in a script file on his computer and executed by the browser. Another method used by hackers is a website or online ad that is infected with malicious JavaScript code.

These codes are automatically loaded and executed in the browser of users who view the site or ad. Malicious encryption codes, after infecting a system, are executed on the victim’s computer without notice. The only signs a person may notice are a slowdown or a delay in running programs.

How does cryptocurrency work?

Hackers use two methods to extract passwords covertly. In the first method, called crypto mining, malicious code is loaded and executed in the victim system based on phishing attacks. In this way, the victim receives a seemingly healthy and legal email that encourages him to click on another link. When the user clicks on the infected link, the cryptocurrency extraction code is loaded and executed in the victim system.

In the second method, the malicious code is secretly uploaded to a site in a valid ad. The malicious code is executed automatically when the victim visits the infected site or sees the infected ad in their browser. These codes are executed on the victim system through complex computational processes and are managed by servers controlled by hackers. Hackers typically use both methods to increase the effectiveness of these attacks.

“Hackers are using the same old attack vectors to transfer seemingly safe and secure software to victims’ systems,” said Alex Vitich, chief information officer at SecBI. “For example, out of 100 devices that extract passwords for hackers, 10% of them may make money by executing code on the victim’s system, and 90% of them may be profitable for hackers through web browsers.”

Some crypto-mining codes can become Internet worms and can infect more devices and servers using this feature.

These features make it difficult to detect and remove this malware model and keep them on infected systems for a long time. In addition, to increase the distribution of malware on the network, cryptocurrency extraction codes are written in different versions, each designed for specific architectures in the network.

A sample reviewed by AT&T Alien Labs shows that hackers have written code mining codes for various architectures with such precision that a large software company seems to have written them.

All of the code is well-written and well-written, and it looks like a quality control expert evaluated the code before it was published. Different currency password mining codes are written to be installed on different systems so that one of them will be efficient in the end.

Is it possible for the code to investigate whether the system has been infected with cryptocurrency malware in the past? If the answer is yes, they will disable other codes on the system.

AT&T Alien Lab says:

“Some codes and cryptocurrency tools use a mechanism to prevent processes from being deactivated so that they are executed every few minutes.” Unlike most malware, cryptocurrencies do not harm the victim’s data or system and only misuse the victim’s processing resources. Most of the time, users only see a drop in system speed and performance.

On a larger scale, organizations that install such malware on their systems suddenly face rising energy costs and reduced bandwidth and have to spend a lot of time identifying and fixing problems.

Why is cryptocurrency so popular?

Exact statistics are not available on how the cryptocurrency mechanism has extracted much currency code. Browser-based crypto-jacking attack vectors have grown rapidly since their inception, and their activity seems to have dwindled due to fluctuations in the cryptocurrency market and Quinhaio’s retirement.

Quintero was the most popular currency code theft code written in JavaScript, which use to extract digital currency legally. In the 2020 Cyber ​​Threats Report, the SonicWall Research Institute reported that the volume of cryptocurrency attacks in the second half of 2019 had dropped to 78 percent due to Quinhaio’s retirement.

“In the first quarter of 2019, cryptocurrencies accounted for only 7% of all cyberattacks, a sharp decline from 2018,” said Positive Technologies. “Statistics clearly show that hackers have moved to newer techniques that are more profitable.”

“Cryptocurrency mining malware is not yet developed and still has room for improvement,” said Mark Lalibert, a threat intelligence analyst at WatchGuard Technologies that provides network security solutions. “The examples you see now will take on a more advanced and dangerous form in the future.” In 2018, researchers identified Smominru cryptocurrency mining baton, which infected more than half a million systems in India, Taiwan, and Russia.

This botnet used infected Windows servers to extract Monero currency passwords.

Cybersecurity company Proofpoint estimates that the above botnet was profitable for hackers by the end of January 2018 at about $ 3.6 million. Implementing cryptocurrency does not require special technical skills. Ready-made cryptocurrency packages sell for about $ 30 on the Dark Web today. The main reason for the popularity of this attack vector is its high profitability and low risks for hackers.

“From the hackers’ point of view, cryptocurrency is a more profitable and cheaper tool than ransomware,” says Lalibert. By installing ransomware, hackers may get ransom from only 3 people for every 100 systems infected, but with cryptocurrency, all infected systems will be profitable for hackers.

“The hackers may be as profitable as they are in carrying out ransomware attacks, but we should not overlook the fact that the revenue from cryptocurrency mining is constant, and the price of this new gold is constantly fluctuating.”

In the above method, the risk of identifying hackers and trapping them is less compared to ransomware.

Cryptomining codes are secretly entered and executed in victims’ systems and may not be detected for a long time. Unfortunately, it is difficult to find the source of the system infection once detected. Users are less interested in tracking it down, as no data theft or encryption has taken place.

Statistics show that hackers prefer bitcoin mining to cryptocurrencies such as Monroe and Ziksh because it is difficult to find traces associated with them.

A few real examples of cryptocurrencies

Hackers who implement cryptocurrency attacks are inherently intelligent. They use a variety of methods to implement cryptocurrency malware. Typically, transferring malware to victims’ systems is similar to those used for other malware activities, such as ransomware and adware.

“In this attack vector, we see the use of different traditional methods that hackers have used in the past,” said Travis Farral, director of security solutions at Anomali. “Instead of delivering ransomware or trojans, these people configure their tools in such a way that they can transmit components or modules of currency encryption.” Here are some of this malware.

The Promoter botnet was designed to exploit Microsoft Exchange vulnerabilities.

Promote malware started the Monroe currency mining process in early 2016 by implementing a multi-step botnet network. The malware uses various methods to infect devices and spread on networks. In 2021, Cybereason announced the detection of malware exploiting Microsoft Exchange vulnerabilities. Further analysis showed that hackers used the malware’s code in Hafnium attacks to extract user accounts login information.

PowerGhost targeted phishing designed to misuse Windows credentials

The Cyber ​​Threat Association (CTA) released a report in early 2021 on the illegal mining of currency tokens and PowerGhost malware. The report states that the malware can use a variety of methods to hide. PowerGhost initially uses targeted phishing to log into users’ systems and then steals Windows credentials (usernames and passwords).

The malware uses the Windows and EternalBule exploit management tools to distribute itself across different systems. This malware tries to disable the installed anti-virus software for long-term victim system activity and concealment. In addition, the malware has the ability to disable other cryptocurrencies installed on the victim system.

Graboid Currency code mining cream released by Docker containers

Palo Alto Networks, a security company, said in a report released in early May 2021 that it had identified a cryptocurrency called Graboid that could be automatically released. In this way, Graboid registered the title of the first currency cryptocurrency in its name. The malware works by finding installed versions of the Docker Engine that can be accessed via the Internet without authentication and installing them on the victims’ system.

Malicious Docker Hub accounts that extract Monroe currency password

In 2020, Palo Alto Networks unveiled a currency encryption campaign that used Docker images to release malware for currency encryption. Putting a password encryption code in a Docker image is a way to prevent it from being detected by anti-malware tools. The infected images were downloaded more than 2 million times by users, with an estimated $ 36,000 campaign for hackers.

MinerGate malware with smart performance ‌

MinerGate, another intelligent malware designed to decrypt currencies, performs differently than other malware. This malware detects the movement of the mouse, and if the mouse is inactive for a long time, it guesses that the user is not with the system, in which case it is activated and proceeds to extract the currency password. In this case, the probability that the user will notice a slowdown in the system is reduced.

BadShell Malware that exploits Windows processes

In early April 2021, Komodo, a cybersecurity company, detected malware that uses Windows operating system processes to decrypt currencies. The malware, called BadShell, uses PowerShell processes to execute commands, schedule tasks to stay present in the infected system, and the Windows registry to store binary code.

An employee who abused banking systems

The multinational company Darktrace, which specializes in providing security solutions, announced in interesting news that one of its customers (a European bank) was the victim of a cryptocurrency attack in a rare case.

In the technical analysis, the company noticed a change in the abnormal traffic pattern on the bank’s servers. The processes under the unusual network slowed down the bank’s services. In contrast, the bank’s diagnostic tools did not report any particular problem.

More and more detailed data center research showed that when servers slow down, new processes are created that have nothing to do with the normal activities of the bank. One of the bank employees installed a currency encryption system under the floor of one of the bank rooms.

Publication of currency password extraction tools by GitHub

Security company Avast reports that cybercriminals are using the gateway to host currency encryption kits. According to the company, hackers upload projects to the site and encourage users to download these infected projects with the help of phishing and social engineering. One of these methods is to display a warning message to update the flash player.

WinstarNssmMiner

The security company Total Security 360 has identified malware that, in addition to being able to spread quickly, has great power in decrypting currencies. Interestingly, any attempt to remove this malware, called winstarNssmMiner, would cause the infected system to run normal processes.

To do this, WinstarNssmMiner injects infected code into the svchost.exe process to change the type of process generated for CriticalProcess. Because the CriticalProcess process is necessary for Windows to work, removing or restarting it will cause a malfunction.

How to deal with cryptocurrency?

Follow these tips to minimize the risk of falling victim to cryptocurrency attacks:

•     Follow the cybersecurity news circulating cryptocurrencies to discover what hackers are using to infect victims’ systems. As you can see, hackers use popular tools such as Docker and GitHub to victimize uninformed users. “Training comes in handy when security solutions fail,” says the Cyber ​​Threat Association. “Reports indicate that phishing attacks are still the mainstay of malware.”
•     Install ad-blocking or anti-cryptocurrency plugins on web browsers, as most cryptocurrency malware is released through web ads, so installing an ad-blocking plug-in reduces the risk of malware infection. Some of these tools, such as AdBlocker Plus, have the ability to detect malicious code encryption. In addition, NoCoin and MinerBlock are designed to detect and block malicious code extractors.
•     Use network endpoint protection solutions that have the ability to identify known miners. In general, antivirus software can detect currency encryption tools; antivirus is one of the tools installed on the endpoints to protect against cryptomining.
•      Update web page filtering tools. If you find a page that installs a cryptocurrency script, block users from accessing that page.
•     Use mobile device management (MDM) solutions to control users’ devices better. MDM tools can help improve infrastructure security. MDM tool manages plugins and applications on users’ devices to prevent security breaches. These solutions are more suitable for large organizations and are not very useful for small businesses. Mobile devices are less dangerous than computers and servers because they have less processing power and are not profitable for hackers.

How to detect cryptocurrency attacks?

Cryptogenesis, like ransomware attacks, has devastating consequences. Cleaning up this malware is more difficult than other examples. Unfortunately, it is not possible to use the current solutions to deal with cryptocurrency. Cryptomining codes can hide from the signature security tools of signature-based detection, and therefore computer anti-virus tools are unable to detect them.

The following methods can use to identify this pattern of attacks:

• The IT team should have enough information about the signs of cryptocurrency infection: Sometimes, employees’ complaints about system slowdowns are the first sign of cryptocurrency malware infection that needs to be carefully investigated. Overheating the systems causes more pressure on the processor or cooling fan, which is a sign of contamination. If the heating process of the equipment is continuous, it will damage the devices and reduce their lifespan. 

• Using network monitoring solutions: Fortunately, cryptocurrencies are easier to detect on corporate networks than on personal computers, as various surveillance tools are installed on the networks that report any suspicious activity. Organizations should consider installing network monitoring equipment that can detect and analyze signs of cryptocurrency malware. For example, SecBI has developed an AI-based solution that analyzes the network traffic and detects cryptocurrencies and other cyber threats. The best way to detect cryptomining activities is to monitor the network. Network monitoring tools that monitor web traffic can quickly detect currency cryptocurrencies. If careful filtering is applied to the incoming server traffic and the outgoing communications are closely monitored, the chances of detecting cryptographic mining malware increase. 

• Monitor your website carefully: Crypto-mining malware designers use various methods to inject JavaScript code into sites. In most cases, the server itself is not the target but any person who visits the web-based website on the server. For this reason, changes to server files and web pages should monitor. 

• Information on the latest cryptocurrency news and developments: Currency encryption codes and publishing methods are constantly changing. Familiarity with software and behavioral patterns can greatly help in the early detection of cryptocurrency attacks. If you are familiar with the working mechanisms, you will know what malware a specific exploitation kit installs. In 202 AD, for example, Akamai identified a crypto-mining botnet that had changed its techniques to prevent it. The botnet designers added the address of a bitcoin wallet and the address of a wallet review API to the malware to use this API to calculate the IP address they used to stay in the victim system and infect other systems. Researchers say the method is quite clever and strategic, allowing hackers to store data vaguely on a blockchain.