Security News > 2022 > January > Ongoing Autom Cryptomining Malware Attacks Using Upgraded Evasion Tactics
An ongoing crypto mining campaign has upgraded its arsenal while adding new defense evasion tactics that enable the threat actors to conceal the intrusions and fly under the radar, new research published today has revealed.
Since first detected in 2019, a total of 84 attacks against its honeypot servers have been recorded to date, four of which transpired in 2021, according to researchers from DevSecOps and cloud security firm Aqua Security, who have been tracking the malware operation for the past three years.
The shell script initiates the attack sequence, enabling the adversary to create a new user account under the name "Akay" and upgrade its privileges to a root user, using which arbitrary commands are run on the compromised machine with the goal of mining cryptocurrency.
While early stages of the campaign in 2019 featured no special techniques to hide the mining activity, later versions show the extreme measures its developers have taken to keep it invisible to detection and inspection, chief among them being the ability to disable security mechanisms and retrieve an obfuscated mining shell script that was Base64-encoded five times to get around security tools.
Malware campaigns carried out to hijack computers to mine cryptocurrencies have been dominated by multiple threat actors such as Kinsing, which has been found scanning the internet for misconfigured Docker servers to break into the unprotected hosts and install a previously undocumented coin miner strain.
"Miners are a low-risk way for cybercriminals to turn a vulnerability into digital cash, with the greatest risk to their cash flow being competing miners discovering the same vulnerable servers," Sophos senior threat researcher Sean Gallagher noted in an analysis of a Tor2Mine mining campaign, which involves the use of a PowerShell script to disable malware protection, execute a miner payload, and harvest Windows credentials.
News URL
https://thehackernews.com/2021/12/ongoing-autom-cryptomining-malware.html
Related news
- The Biggest Takeaways from Recent Malware Attacks (source)
- Critical Flaws Leave 92,000 D-Link NAS Devices Vulnerable to Malware Attacks (source)
- Microsoft fixes two Windows zero-days exploited in malware attacks (source)
- TA558 Hackers Weaponize Images for Wide-Scale Malware Attacks (source)
- Hackers hijack OpenMetadata apps in Kubernetes cryptomining attacks (source)
- CoralRaider attacks use CDN cache to push info-stealer malware (source)
- New Latrodectus malware attacks use Microsoft, Cloudflare themes (source)
- Finland warns of Android malware attacks breaching bank accounts (source)
- Microsoft fixes Windows zero-day exploited in QakBot malware attacks (source)