By Arianne Dela Cruz, Jay Nebre and Augusto Remillano II
As the value of cryptocurrencies increased (after a short dip in 2018), we observed increased activity from cryptocurrency mining malware this year, particularly infections and routines involving Monero miners. Over a span of a few months, we came across an infection routine that exploited vulnerabilities to propagate itself, and another that used fileless techniques to evade detection. Other routines involved the use of targeted attack tools to maximize profits, weaponized legitimate tools such as Windows Management Instrumentation to achieve persistence, and other sophisticated malware to hide cryptocurrency malware payloads to cash in on new platforms.
Recently, we found a cryptomining threat using process hollowing and a dropper component that requires a specific set of command line arguments to trigger its malicious behavior, leaving no trace for malicious activity detection or analysis to reference the file as malicious. The dropped file also acts as a container, which renders the main file inactive (without the correct arguments, the coinmining activity will also remain unexecuted). On its own, the file itself has no use and is not malicious, which allows it to evade detection. The campaign’s increased activity started in early November, and our telemetry recorded the most infection attempts on November 20th in Kuwait, Thailand, India, Bangladesh, the United Arab Emirates, Brazil and Pakistan.
Infection routine
The dropper is a ..
Support the originator by clicking the read the rest link below.
 Hollow and Innocent: Monero Miner Remains Undetected via Process Hollowing){kind=link}