Cryptojackers, are still invading computers all over the world while also getting more discreet and skilled at evading detection.
The data was released by Microsoft's 365 Defender Research Team, which on Thursday posted a new analysis of cryptojackers on its blog.
Microsoft Defender Antivirus detects cryptojackers on more than 200,000 devices per day using a variety of sensors and innovative detection techniques, including its connection with Intel TDT. In campaigns, hackers strongly favor the exploitation of notepad.exe over several valid system utilities.
What are Cryptojackers?
Cryptojackers are mining viruses that hijack and use a target's device resources for the former's gain without the user's knowledge or approval. They are one of the threat categories that have emerged and thrived since the advent of cryptocurrencies. The threat data indicates that over the past year, companies have encountered millions of cryptojackers.
Furthermore, as per Microsoft, Javascript is frequently used in the creation of cryptojackers, which in this instance use browsers to infiltrate systems. The tech titan also cautioned against fileless cryptojackers, who mine in a device's memory and maintain persistence by abusing legal programs and LOLBins.
Cryptojacking operation
Among several legitimate system utilities, notepad.exe abuse is heavily favored by attackers in campaigns that have been observed. An improved version of the cryptojacker known as Mehcrypt was employed in this campaign.
- This is a significant improvement over the previous version, which used a script to access its command-and-control (C2) server and download additional components that later carried out malicious deeds.
- The new version also condenses all of its routines into a single script and connects to a C2 server in the final stage of its attack chain.
- An archive file containing autoit.exe and a heavily obscured, arbitrarily named.au3 script serves as the threat's delivery vehicle.
- Autoit.exe is started when the archive file is opened, and it decodes the.au3 script in memory.
- When the script is executed, it continues to decode more obfuscation layers and loads more decoded scripts into memory.
- The script then places a copy of itself and autoit.exe in a folder with an arbitrary name under C:ProgramData.
- To run the script each time the device begins, the script inserts autostart registry entries and generates a scheduled task to destroy the original files.
- The software then incorporates persistence methods, loads malicious code into VBC.exe using process hollowing, and establishes a connection to a C2 server to wait for commands.
- The software loads its cryptojacking code into notepad.exe using process hollowing based on the C2 answer.
The warning was issued just a few weeks after Microsoft released a study describing how a widespread phishing effort managed to steal sign-in credentials, hijack sign-in sessions, and bypass the authentication step even when multi-factor authentication (MFA) was turned on.