It appears Windows is providing “windows” to hackers. According to The Next Web, hackers are hiding cryptocurrency malware in Windows installation files as part of a recent crypto-jacking effort.
Crypto-jacking is nothing new. It’s a topic we’ve discussed before and will likely do so again before the year is out. The process occurs when a hacker takes control of a victim’s computer without their knowledge or consent and uses their computing power to mine cryptocurrency.
Most crypto-jacking efforts result in the extraction of new Monero coins, one of the most popular cryptocurrencies among digital thieves due to its anonymous properties.
Some Recent Cases
Most recent cases involve Korea, in which the southern country accused its northern counterpart of taking over several computers to mine crypto. A U.S.-based cybersecurity firm investigating the situation later issued a report that appeared to verify everything South Korea was saying.
The computers examined in the firm’s study suggested that they had been infected with malware designed to mine Monero, and that the funds were being directed to Kim II Sung University in Pyongyang, North Korea’s capital city.
Another example occurred via Adobe Flash updates that were infected with hidden mining code. This code was very difficult to find, as the Adobe Flash updates worked exactly as they were supposed to. The updates occurred without issue, and thus none of the victims were given any clues as to what was really going on. The malware was discovered by Palo Alto Networks, a cybersecurity firm named after Palo Alto in northern California.
The New Pathway to YOUR Computer
Now, researchers from security venture Trend Micro have found mining software hidden in Windows installation packages. Known as Coinminer, the software is designed to be very elusive and uses a series of obfuscation methods.
A report from Trend Micro reads:
“The malware arrives on the victim’s machine as a Windows Installer MSI file, which is notable because Windows Installer is a legitimate application used to install software. Using a real Windows component makes it look less suspicious and potentially allows it to bypass certain security filters.”
Hiding in the Shadows
In addition, researchers state that once the software is installed, various files are activated that act as decoys. The installer also comes with a script that counteracts all anti-malware processes occurring on the victim’s computer, making it very difficult to counteract the software.
It even comes equipped with a self-destruct mechanism to prevent anybody from nosing around too much. Trend Micro’s report says:
“To make detection and analysis even more difficult, the malware also comes with a self-destruct mechanism. It deletes every file under its installation directory and removes any trace of installation in the system.”
Trend Micro has claimed that while it cannot trace the attacks back to a specific country or point of origin, it has noted that the installer uses Cyrillic, an extremely popular software brand among cybercriminals.
A Few More Recent Cases
In a recent high-profile case of crypto-jacking, a Canadian university was forced to shut down its entire network last week after it was discovered that hackers were attempting to utilize its computing power to mine bitcoin. Furthermore, new reports suggest that crypto-jackers and cyberthieves are ultimately stealing approximately $250,000 each month. That’s a lot of money for people who didn’t earn it…
Last April, Google sought to crack down on Chrome extensions that ran cryptocurrency mining scripts as a means of protecting users against crypto-jacking. The company wrote in a blog post:
“Approximately 90 percent of all extensions with mining scripts that developers have attempted to upload to Chrome Web Store have failed to comply with our policies and have either been rejected or removed from the store.”
1 Comment
Which software is this Cyrillic? I thought it was an alphabet!?