- Cybersecurity researchers have found malware that’s embedded in WAV music files.
- The Coinhive demise did not stop the spread of cryptojacking attacks.
- Hackers are coming up with more sophisticated cryptomining vector attacks.
Hackers are using advanced obfuscation techniques to embed malware in music files. According to Cylance, strains of malware have been found embedded in WAV audio files. They appear uncorrupted and play just fine, although some generate static noise.
Once the files are downloaded or opened, malicious code containing the XMRig Monero CPU miner is executed. The malware is reported to consist of two main components, a Least Significant Bit (LSB) stenography code, and decoders to execute the worm.
The extra layer of encryption enables malware to be embedded in any file without the attacker having to compromise its structural components. This makes detection extremely hard.
The news comes in the wake of another cryptojacking worm discovery by the Palo Alto Networks group. It exploits the platform-as-a-service (PaaS) solution that’s used by software developers to test and deploy applications on both Windows and Linux platforms.
Docker allows apps to run in a separate virtual environment from other windows applications, allowing developers to run applications on shared system resources. Many of the infected files were found in the Docker Community library. Some had been downloaded as many as 16,000 times. They have since been removed.
Endpoint security systems rarely inspect container applications such as Docker for malicious code and this allows for malware to spread. According to the Unit 42 report, the virus autonomously continues to scan networks for vulnerabilities after it is deployed and continues to infect random hosts while staying in contact with its command server.
Many of the discovered infected Docker images retained their functionality but featured a backdoor that allowed the infiltration of infected machines.
The Cryptojacking menace is Evolving
Cryptojacking attacks spiked in 2017 in tandem with the crypto mining fever. The rise of bitcoin prices led to an escalation in market capitalization, which subsequently led to the popularity of privacy-centric coins such as Monero. The development of mining codes such as Coinhive, which allowed webmasters to harness visitor CPU power, contributed greatly to the rise of cryptojacking attacks.
As of March 2018, cryptojacking attacks were a leading security issue. Coinhive closed its doors in March this year, causing the number of reported incidences to drop momentarily. Fast forward to the present and researchers are stumbling upon more advanced mining codes that utilize native system processes such as PowerShell to avoid detection.
McAfee’s August cybersecurity report proclaimed a 29 percent increase in cryptojacking attacks during the first quarter of this year. Among the most common cryptojacking miners was PsMiner, a type of malware that attacks servers running applications like Hadoop, Redis, SqlServer, ElasticSearch, ThinkPHP, Spring, and Weblogic.
The document also highlighted the capabilities of a new multi-purpose family of miners such as CookieMiner. This new strain of cryptojackers can also be used to steal credentials, including passwords, when users access crypto platforms such as Bitstamp, Binance, Bittrex, Coinbase, and MyEtherWallet via infected systems. CookieMiner apparently achieves this through Empyre backdoor integration.