The alleged value of cryptocurrencies may have taken a major hit in the last few months, but that hasn’t stopped attackers from continuing their use of cryptojackers to surreptitiously hijack victims’ processing power to mine coins.
Microsoft researchers have been tracking some recent campaigns that are abusing legitimate binaries on victims’ machines to stay persistent, rather than injecting malicious code into the browser or running a malicious executable on the target computer. Microsoft has seen more than 500,000 machines with malicious cryptojackers on them consistently throughout the summer, and researchers say the campaigns do not seem to be abating.
Cryptojackers are small applications that hijack the processing power of victims’ computers in order to mine cryptocurrency. They have been circulating for more than a decade and their popularity tends to wax and wane in concert with the value of popular currencies such as Bitcoin and Ethereum. Most cryptojackers aren’t outwardly malicious aside from using system resources without the user’s knowledge, but they can be conduits for other unwanted apps.
The campaign that Microsoft’s 365 Defender Research Team has been tracking uses the currently popular fileless approach to cryptomining, a tactic that is less obvious to security tools but still uses a significant amount of processing power.
“We analyzed an interesting cryptojacking campaign abusing notepad.exe and several other binaries to carry out its routines. This campaign used an updated version of the cryptojacker known as Mehcrypt. This new version packs all of its routines into one script and connects to a command-and-control (C2) server in the latter part of its attack chain, a significant update from the old version, which ran a script to access its C2 and download additional components that then perform malicious actions,” the researchers said.
“The threat arrives as an archive file containing autoit.exe and a heavily obfuscated, randomly named .au3 script. Opening the archive file launches autoit.exe, which decodes the .au3 script in memory. Once running, the script further decodes several layers of obfuscation and loads additional decoded scripts in memory.”
This campaign specifically abuses the notepad.exe binary that is ever-present on Windows machines and has become a popular target for cryptojackers. Because Notepad is always available and its presence in a list of running programs wouldn’t attract much attention, it makes for an attractive and practical target. The actors behind this campaign maintain persistence by adding autostart registry keys that run a script each time the machine starts. The script connects to the remote C2 server and will then inject itself into notepad.exe when instructed by the server. That kicks off the mining process, which in turn spikes the processor’s usage.
“The executable and browser-based approaches involve malicious code that’s present in either the filesystem or website that can be relatively easily detected and blocked. The fileless approach, on the other hand, misuses local system binaries or preinstalled tools to mine using the device’s memory. This approach allows attackers to achieve their goals without relying on specific code or files. Moreover, the fileless approach enables cryptojackers to be delivered silently and evade detection. These make the fileless approach more attractive to attackers,” the Microsoft researchers said.
Many antimalware applications detect typical cryptojackers and cryptominers, but checking which apps are using significant system resources and identifying anomalies can be another way to find potential problems.