The Rise of Currency Miner Malware
Insider threats are usually considered malicious. Most companies think of a cyber threat as someone who maliciously attacks the network, steals data, or destroys company resources. Employee negligence also falls into the insider threat category. One area of negligence that puts your company network at risk is downloaded software. The user then installs malicious software on their machine, and then it is able to access its resources. Because this is common with users naive to cyber security, criminal crypto miners have developed backdoors that steal local computer resources and mine cryptocurrency.
Backdoor Snuck into Mediaget Source Code
The latest attack was on a popular BitTorrent client called Mediaget. Sneaking code into the latest build has been done on BitTorrent clients before, namely Transmission. CCleaner was also a victim of a sneak code attack when it was revealed that the latest build affected 2.27 million people. This type of sneaky code injection is called a supply-chain attack.
Once an application has malicious injected, it can perform any amount of activity on the infected machine. With Mediaget, the objective wasn’t to install ransomware, steal data or destroy the user’s hard drive. Instead, the attackers drained resources (CPU and memory, to be exact) to mine cryptocurrency. The malicious code was able to infect 400,000 computers in just 12 hours.
Mediaget Targets Microsoft
After infection, the backdoor code performed more than just crypto mining. Microsoft soon found that its Windows Defender was blocking hundreds of thousands of trojan attacks on computers primarily located in Russia, Turkey, and Ukraine. The team of researchers was able to detect that it was a variant of the original Dofoil malware. If you keep up with the latest malware news, you will recognize the Trojan name. Dofoil was the malware that infected a computer in Maryland that then sent confidential NSA data to a Kaspersky server in Moscow.
To avoid detection, Mediaget uses a stolen digital certificate likely purchased on the black market. The digital certificate helped avoid detection by some operating systems and antivirus software that would allow the installation. The trojan could then mine cryptocurrency silently in the background.
How This Affects the Enterprise
While this might seem like an attack that focuses on individuals, company computers (mainly servers) usually have far more resources than a personal one. Attackers focus on corporate computers for their massive amount of resources and computing power. With high-end servers at the attacker’s disposal, they can much more efficiently mine cryptocurrency. The hard part is getting past enterprise defenses, which are usually much more sophisticated and efficient compared to an individual user’s.
The source of infection usually stems from an insider that downloads and installs the malware. Usually, the attacker starts with a phishing email either with an attachment or a link to a site where you can download an executable. An email with an executable attachment is blocked by many email servers, so the attacker uses a document attachment with a malicious macro. The macro runs and downloads the malicious content to the user’s local machine. After it runs the trojan, the machine is at the disposal of the attacker.
Enterprise administrators can take several precautions when defending against this type of threat. First, filter incoming email from outside email accounts with executable addresses. Educate users never to open attachments from untrusted sources, and never run macros from attached documents.
Some antivirus applications such as Windows Defender block malicious miner applications. The user can detect a possible miner attack when their computer unexplainably has a spike in CPU and memory usage. The computer then becomes slow and some applications may hang even after a reboot.
See GateKeeper proximity access control in action.
Take a self-guided tour of how your proximity-based access control can work.