In an attempt to hide cryptojacking malware on victims' computers, hackers evolved their attacking tactics and are using process hollowing, per a ZDNet report.
This was revealed by three researchers from cybersecurity company Trend Micro - Arianne Dela Cruz, Jay Nebre, and Augusto Remillano - on Wednesday.
Hackers ran an organized campaign with the malware, using an interesting dropper component containing a malicious secret, throughout November across countries including Kuwait, Thailand, India, Bangladesh, the United Arab Emirates, Brazil, and Pakistan.
A secure way to mine crypto
The report detailed that this attack technique is sophisticated as the file injected into the victim's computer acts as both a malware dropper and a container, and is not malicious itself. The file contains main executable and Crypto Mining codes but renders them as inactive.
To trigger the malicious behavior, the dropper needs a specific set of command-line codes which act as a trigger. After the Execution , the file acts as a normal file and leaves no trace of any malicious file. This technique is popularly known as process hollowing.
Moreover, to avoid malware scans, the malicious code is hidden in a directory without an extension.
To avoid any sudden trigger, the malware mines digital currency, mostly Monero, in a controlled way.
“While the number of new routines for malicious cryptocurrency miners has increased, overall detections for coin mining activities have decreased this year,” the cybersecurity company explained. “We suspect that the cybercriminals behind this particular campaign may have been taking advantage of the decreased number of competitors, especially as the year comes to a close.”
To hide from detection, attackers are using several techniques to profitably mine Monero on other peoples' computers. Late last month, Finance Magnates reported that infamous botnet Stantinko has added crypto mining capabilities and is using YouTube to hide its malpractices.
