Hackers Using Process Hollowing to Hide Crypto Jacking from Detection

Friday, 13/12/2019 | 06:34 GMT by Arnab Shome
  • The mining process is also controlled to avoid any unnecessary alarms.
Hackers Using Process Hollowing to Hide Crypto Jacking from Detection
Pixabay

In an attempt to hide cryptojacking malware on victims' computers, hackers evolved their attacking tactics and are using process hollowing, per a ZDNet report.

This was revealed by three researchers from cybersecurity company Trend Micro - Arianne Dela Cruz, Jay Nebre, and Augusto Remillano - on Wednesday.

Hackers ran an organized campaign with the malware, using an interesting dropper component containing a malicious secret, throughout November across countries including Kuwait, Thailand, India, Bangladesh, the United Arab Emirates, Brazil, and Pakistan.

A secure way to mine crypto

The report detailed that this attack technique is sophisticated as the file injected into the victim's computer acts as both a malware dropper and a container, and is not malicious itself. The file contains main executable and Crypto Mining codes but renders them as inactive.

To trigger the malicious behavior, the dropper needs a specific set of command-line codes which act as a trigger. After the Execution , the file acts as a normal file and leaves no trace of any malicious file. This technique is popularly known as process hollowing.

Moreover, to avoid malware scans, the malicious code is hidden in a directory without an extension.

To avoid any sudden trigger, the malware mines digital currency, mostly Monero, in a controlled way.

“While the number of new routines for malicious cryptocurrency miners has increased, overall detections for coin mining activities have decreased this year,” the cybersecurity company explained. “We suspect that the cybercriminals behind this particular campaign may have been taking advantage of the decreased number of competitors, especially as the year comes to a close.”

To hide from detection, attackers are using several techniques to profitably mine Monero on other peoples' computers. Late last month, Finance Magnates reported that infamous botnet Stantinko has added crypto mining capabilities and is using YouTube to hide its malpractices.

In an attempt to hide cryptojacking malware on victims' computers, hackers evolved their attacking tactics and are using process hollowing, per a ZDNet report.

This was revealed by three researchers from cybersecurity company Trend Micro - Arianne Dela Cruz, Jay Nebre, and Augusto Remillano - on Wednesday.

Hackers ran an organized campaign with the malware, using an interesting dropper component containing a malicious secret, throughout November across countries including Kuwait, Thailand, India, Bangladesh, the United Arab Emirates, Brazil, and Pakistan.

A secure way to mine crypto

The report detailed that this attack technique is sophisticated as the file injected into the victim's computer acts as both a malware dropper and a container, and is not malicious itself. The file contains main executable and Crypto Mining codes but renders them as inactive.

To trigger the malicious behavior, the dropper needs a specific set of command-line codes which act as a trigger. After the Execution , the file acts as a normal file and leaves no trace of any malicious file. This technique is popularly known as process hollowing.

Moreover, to avoid malware scans, the malicious code is hidden in a directory without an extension.

To avoid any sudden trigger, the malware mines digital currency, mostly Monero, in a controlled way.

“While the number of new routines for malicious cryptocurrency miners has increased, overall detections for coin mining activities have decreased this year,” the cybersecurity company explained. “We suspect that the cybercriminals behind this particular campaign may have been taking advantage of the decreased number of competitors, especially as the year comes to a close.”

To hide from detection, attackers are using several techniques to profitably mine Monero on other peoples' computers. Late last month, Finance Magnates reported that infamous botnet Stantinko has added crypto mining capabilities and is using YouTube to hide its malpractices.

About the Author: Arnab Shome
Arnab Shome
  • 6654 Articles
  • 102 Followers
About the Author: Arnab Shome
Arnab is an electronics engineer-turned-financial editor. He entered the industry covering the cryptocurrency market for Finance Magnates and later expanded his reach to forex as well. He is passionate about the changing regulatory landscape on financial markets and keenly follows the disruptions in the industry with new-age technologies.
  • 6654 Articles
  • 102 Followers

More from the Author

CryptoCurrency

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}