The obfuscation capabilities of cryptocurrency mining malware creators are increasingly getting more and more sophisticated, according to cybersecurity researchers at Trend Micro.
This is evidenced by a new cryptocurrency mining malware that the researchers came across which employs multiple evasion techniques in order to evade detection. Identified as Coinminer.Win32.MALXMR.TIAOODAM, the malicious crypto mining software poses as an installer file for the Windows operating system when it arrives on the machine of its target. This use of a real component of the Windows OS not only makes it appear less suspicious but also allows the malware to bypass particular security filters.
From the analysis conducted by the cybersecurity researchers, the cryptojacking software installs itself in this folder: %AppData%\Roaming\Microsoft\Windows\Template\FileZilla Server. FileZilla is a free open-source application for transferring files over the internet. If the directory does not already exist the malware proceeds to create one.
Among the files that are contained in the directory include a script created to terminate any anti-malware processes which may be running.
Somewhere in Eastern Europe…
The installation process of the particular crypto mining malware involves more measures aimed at preventing detection. Interestingly, the installation process is done in Cyrillic, indicating that the creators are possibly based in Eastern Europe or other places that use the writing system.
After installation, the malware will create three new Service Host processes, some of which are used to re-download the malware in case of termination:
“The first and second SvcHost processes will act as a watchdog, most likely to remain persistent. These are responsible for re-downloading the Windows Installer (.msi) file via a Powershell command when any of the injected svchost processes are terminated,” Trend Micro’s Janus Agcaoili and Gilbert Sison wrote in a blog post.
The crypto mining malware also possesses a self-destruct mechanism aimed at ensuring that detection and analysis becomes even more difficult. This is achieved by deleting every file contained in the installation directory as well as getting rid of all traces of installation.
Taking No Chances
According to Trend Micro’s researchers, the creators of the malware are also taking extra precaution to avoid detection by using WiX, a popular Windows Installer, as a packer.
This comes at a time when various studies have shown that incidences of cryptojacking are on the rise across the globe. As CCN reported in September, cybersecurity consortium Cyber Threat Alliance estimates that cryptojacking has risen by 459% this year.
Earlier this year, Kaspersky Labs indicated that ransomware attacks were declining and this was down to the fact that bad actors are increasingly turning to cryptojacking, as it is more lucrative.