As Bitcoin’s price continues to soar beyond $4,000 USD per, cybercriminals are responding in kind by using techniques long reserved for adware, click-fraud and spying to now drop cryptocurrency miners onto compromised computers.
The latest incident comes from a rash of drive-by downloads that are being used to install coin-mining malware called Zminer, according to researchers from Netskope.
The Zminer executable is being dropped from an exploit kit, which in turn connects with an Amazon S3 storage bucket to grab two payloads called Claymore CryptoNote CPU Miner and Manager.exe. Claymore is the mining utility used to produce Monero, an open-source cryptocurrency that goes to lengths to obfuscate its blockchain, making it a challenge to trace any activity. Manager oversees the mining and includes instructions for the Windows Task Scheduler, said Ashwin Vamshi, a security researcher at Netskope.
“We typically have observed that after a victim is infected by an exploit kit, for example, Neptune exploit kit, the victim’s machine is driven through these drive-by-download sites,” Vamshi told Threatpost. “At this time we did not find enough evidence of particular sites or category of sites leading to Zminer.”
One twist is that Zminer, once it’s up and running on a victim’s machine, seeks out and disables Windows Defender by adding several keys in the system registry. Vamshi said Netskope has not seen any version of Zminer trying to disable other antimalware or host-based intrusion prevention software.
“On the network side, given that the communication to download the payload is over HTTPS and the interaction with a managed cloud application Amazon AWS, if network-IPS does not have the capability to inspect encrypted channels and understand activity-level transactions of Amazon AWS, they would fail to protect enterprise customers,” Vamshi said.
Earlier this week, FireEye reported that attackers were using Neptune to spread miners through malvertising. FireEye said the kit has been redirecting victims with popups from fake hiking ads to exploit kit landing pages and in turn to HTML and Adobe Flash exploits. Some sites that convert YouTube videos to MP3s are also implicated in these attacks, all of which redirect to a site hosting a Monero miner download.
Netskope provided details on two separate operations that have netted 101 Monero, or $8,300 USD, and 44 Zcash, or $10,100 USD so far. Zminer uses Monero on 32-bit Windows systems, and Zcash on 64-bit.
“Since the mining operation usually involves a lot of computing power, the CPU usage will be extensively dominated by the miner. As a result, the machines or workstations start functioning abnormally slow,” Vamshi said. “We have only observed Zminer disabling Windows Defender and it used no other technique to evade detection of the CPU usage. Users should treat abnormal increase in CPU usage as a potential indicator for coin-mining malware.”
Netskope, meanwhile, has privately reported to Amazon the S3 URLs hosting the Zminer payloads, and Vamshi said it is awaiting a response.
“The attacker has chosen Amazon Simple Storage Service as it is easy to deliver the payload and make the victim believe the source is trusted,” Vamshi said.
In the meantime, coin mining continues to be a viable revenue-generating option for criminals. Even nation-state attackers from North Korea alleged to be behind May’s WannaCry ransomware outbreak used the NSA’s EternalBlue SMB exploit to spread the Adylkuzz miner.
“Coin mining allows anyone with access to the internet and suitable hardware to participate in mining and generate money,” Vamshi said. Cryptocurrency currently has a global market cap of $153 billion, and it’s climbing.
“Of late, we along with the rest of the security industry have seen a growing trend of crypto-mining malware,” Vamshi said. “We can only speculate that there are enough threat actors with a primary focus of generating money treading along this new path may be due to the fact that there is not a lot of money they are able to generate via ransomware.”