New Cryptojacking Campaign Infects Asia Using More Profitable Tactics

Cryptojacking — the process of infecting computers with malware to mine cryptocurrency — has declined alongside prices during cryptowinter. But like any dextrous organism facing extinction, the virus and its propagators are adapting.

According to a report by cybersecurity analytics firm Symantec, cryptojacking incidents have plummeted 52 percent since January 2018, but the method of delivery, the execution and the targeting schemes have grown more sophisticated.

Specifically, Symantec’s latest report focused on Beapy, a cryptojacking campaign sweeping through Asia by taking specific aim at business and enterprise. Using a software exploit called EternalBlue, which was developed by the United States’ own NSA, the virus is spread via email. Symantec first tuned into the growing threat in January of this year.

With infection rates spiking in March and continuing an exponential upward trajectory since, the firm has concluded that, based on the virus’s infection route, “it was probably always intended to spread throughout enterprise networks.” Described as a “worm” by the report, the virus effectively infiltrated vulnerable devices and, using a matrix of cyber tunnels, bored its way into devices connected to the same server or network.

“This campaign demonstrates that while cryptojacking has declined in popularity with cyber criminals since its peak at the start of 2018, it is still a focus for some of them, with enterprises now their primary target,” the introduction to the report asserts.

beapyfig1.png

Graph courtesy of Symantec

Some 98 percent of infected parties are enterprise related, the report continues, mirroring 2018 trends in ransomware attacks wherein a drop in overall threats corresponded with an increase in enterprise-focused infections. These attacks, Symantec Threat Intelligence Analyst Allan Neville told Bitcoin Magazine, can “[render] some devices unusable due to high CPU usage.”

China has become the main target of this particular attack, dwarfing all other affected countries with a staggering 83 percent share of all infections. Other afflicted countries include Japan, Vietnam, South Korea, Hong Kong, Taiwan, Bangladesh, Philippines and — the only two outside of the Eastern Hemisphere — Jamaica and Japan.

Virus Infection Strategy

The virus was initially spread through Windows devices via an infected Excel spreadsheet. Once opened, the spreadsheet would create a backdoor into the computer’s OS, making use of the DoublePulse exploit that was leaked in the same batch of cyber tools that gave the attackers the EternalBlue vector for their operations.

Exploiting a weak point in Windows’ Server Message Block protocol, the files containing the virus could then be spread “laterally across networks.”

The mining malware also commandeered credentials, such as passwords and usernames, from infected devices to spread to other computers in a network. Moreover, the firm found versions of Beapy on a public-facing web server, using a list of IP addresses connected to this server to create a hit list of potential victims.

More Upside Than Before

One of the study’s most interesting findings is that Beapy is unlike the run-of-the-mill cryptojacking malware most often employed when infections were at their zenith in early 2018.

Most of these campaigns employed browser-based miners. These viruses largely leveraged the Coinhive protocol, a non-malicious software implementation that was employed by such sites as UNICEF, allowing its website visitors to voluntarily mine Monero for charity through their browsers upon visiting the site. Coinhive shuttered operations in March of 2019, and this, coupled with Monero’s steep depreciation in the bear market, likely led to a steady decline in cryptojacking, the report surmises.

Beapy, however, doesn’t rely on browser mining, opting instead for a much more lucrative and complex file mining approach. Unlike browser mining, file mining is more resource efficient and makes for a greater haul: the average 30-day return for this technique, for instance, could net the virus’s blackhats $750,000, making the browser mining alternative’s return seem paltry at $30,000.

beapyfig2.jpg

Image courtesy of Symantec

Despite it being on the rise, “file-based coinmining isn’t new,” Neville told Bitcoin Magazine; it’s just “taken a back seat to browser-based coinmining the past couple of years” due to the fact that browser-based mining cryptojacking takes less technical skill.

“The launch of Coinhive — with its ready made scripts — lowered this barrier even further,” he added.

Furthermore, even if a computer is patched against the virus, they will still execute browser mining if they visit a site “that has coin-mining code injected into it.”

Neville clarified that it’s “too early to tell if we’ll see a resurgence in file-based mining compared to browser-based mining.” Still, as detection and protection against Coinminers improves, cyber criminals will look toward “alternative revenue sources.”

“As cyber criminals hone their tactics, we’ve also seen that their approach becomes more targeted.”

Defending Against the Threat

The report ends by listing the side effects of such cryptojacking infections, including device overheating and excessive battery consumption, which can lead to device degradation and spikes in electricity costs.

It also details the precautions that companies can take to insulate against such attacks. On the hardware and software side, companies can employ security solutions “to guard against single-point failures in any specific technology or protection method,” including firewalls and vulnerability assessments; robust passwords and multi-factor authentication are also a bonus.

On the employee side, education is key. In addition to basic cyber hygiene, the report prescribes lessons on what cryptojacking is and how to spot it, like watching for spikes in CPU usage and a battery drain. Neville reiterated many of these points at the end of our correspondence.

“Beyond ensuring that employees receive regular training to recognize and report phishing emails used to deliver malware, businesses should implement overlapping and mutually supportive defensive systems to guard against single-point failures in any specific technology or protection method. This includes deployment of endpoint, email and web gateway protection technologies, as well as firewalls and vulnerability assessment solutions. It’s also crucial to keep these security solutions up to date with the latest protections and ensure systems are protected against exploits such as EternalBlue.

Be the first to comment

Leave a Reply