Security

CryptoLurker hacker crew skulk about like cyberspies, earn $$$

Miner prying by minor spying

By John Leyden

4 SHARE

A sophisticated mystery hacker group is using tactics more familiar to the world of cyber espionage to earn millions through mining malware.

Kaspersky Lab researchers report that cybercrooks have begun using infection methods and techniques borrowed from targeted attacks in order to install mining software.

The most successful such group earned at least £5m by exploiting their victims in the the space of just six months last year, according to the security software firm's estimates.

Miner vs miner: Attack script seeks out and destroys competing currency exploits

READ MORE

The group is using advanced persistent threat-style (APT) techniques and tools to infect users' devices with miners. They have been using the process-hollowing method usually seen in malware and some targeted attacks of APT actors, but has never been observed in mining attacks before.

Prospective victims are lured into downloading and installing software containing a hidden miner. The installer drops a legitimate Windows utility at the same time it covertly installs crypto-mining malware.

After execution, a legitimate system process starts but the code of this process quickly turns malicious. As a result, the miner operates under the guise of a legitimate task, making it far less likely that victims will realise that anything is amiss. Even security software packages might be thrown off the scent by this tactic, according to researchers.

Infection chain of sophisticated mining malware

Process hollowing example [both graphics from Kaspersky Lab blog post]

If the user tries to stop the process, the computer system reboots. This combination of tactics make it more likely that mining malware will stay on infected systems longer, increasing the money-making potential for crooks.

The hacking group behind these tactics has been mining Electroneum coins and earned almost £5m during the second half of 2017, comparable to the sums that ransomware creators used to earn.

Rise up, miners

From September 2017, Kaspersky Lab recorded a rise of miners that begins to eclipse ransomware as a cybercrime racket. Unlike ransomware, cryptojacking doesn't destructively harm users' kit and is able to stay undetected for a long time by silently using the PC's CPU and GPU power.

The growing availability of miner builders, open miner pools and partner programs are making it easy for unskilled would-be crooks to get a slice of the action from the growing miner menace. The most popular miner tool used by threat actors is Nanopool, Kaspersky Lab reports.

"We see that ransomware is fading into the background, instead giving way to miners," said Anton Ivanov, lead malware analyst at Kaspersky Lab. "This is confirmed by our statistics, which show a steady growth of miners throughout the year, as well as by the fact that cybercriminal groups are actively developing their methods and have already started to use more sophisticated techniques to spread mining software.

"We have already seen such an evolution – ransomware hackers were using the same tricks when they were on the rise."

Overall, 2.7 million users were attacked by malicious miners in 2017, according to Kaspersky Lab data. This represents a year-on-year growth of 50 per cent compared to 2016, when 1.87 million attacks on users were logged by the firm.

Adware, cracked games and pirated software have all been used by cybercriminals to secretly infect PCs with crypto-mining malware. Web mining through a special code located in an infected web page is also growing in prevalence. The most widely used web miner was CoinHive, discovered on many popular websites. ®

Sign up to our NewsletterGet IT in your inbox daily

4 Comments

More from The Register

Kaspersky Lab loses the privilege of giving Twitter ad money

Twitter's loss is the EFF's gain

Sir, you've been using Kaspersky Lab antivirus. Please come with us, sir

US govt bans agencies from using Russian outfit's wares

Surprise: Norks not actually behind Olympic Destroyer malware outbreak – Kaspersky

Who framed Pyongyang, then, we wonder

WikiLeaks drama alert: CIA forged digital certs imitating Kaspersky Lab

Vault 8 release says spooks used disguise to siphon off data

Kaspersky Lab's move from Russia to Switzerland fails to save it from Dutch oven

Netherlands turns up the heat as transparency plans unveiled

Kaspersky cybercrime investigator cuffed in Russian treason probe

Reports link arrest to receipt of money from foreign companies

Kaspersky VPN blabbed domain names of visited websites – and gave me a $0 reward, says chap

Updated DNS leak flaws are outside of bug-bounty scope

Hackers latch onto new Apache Struts megavuln to mine cryptocurrency

Underground forums alight with Struts chat, we hear

Citation needed: Europe claims Kaspersky wares 'confirmed as malicious'

Motion passed to eject Russian software from bloc institutions

'We've nothing to hide': Kaspersky Lab offers to open up source code

Response to US fretting over alleged ties to Russian snoops