Is your security opening up a bag of worms?

Despite the headlines, cryptocurrency is still very much on the scene, especially as big names like Facebook try to crack the industry

However, while there are many companies trying to do good things with bitcoin, there are also people looking to exploit it. Unsurprisingly, over the last few years, there has been an increase in crimes related to cryptocurrency. While some cyber criminals hold people’s digital assets ransom in return for cryptocurrency, others take a somewhat less upfront approach. 

In fact, a popular form of crime surrounding the new currency is cryptojacking. Mining for bitcoin takes a serious amount of power and resources to generate even a single bitcoin. Without building huge rigs which use considerable amounts of electricity and space, it’s difficult to mine for the digital coins, but criminals have found a way around it. By deliberately infecting unsuspecting victim’s computers, they can hijack a devices computing power and rig them into mining pools that mine for various cryptocurrencies for attackers. 

The latest discovery 

At Bitdefender, we recently discovered a worm-cryptominer combo that moves laterally to attack victims and installs cryptocurrency mining software to victims devices. Previous research referred to the worm-cryptominer combo as Beapy/PCASTLE, as it used a combination of Python and Powershell, which created a very profitable piece of malware when the two components were combined.

The malware has worm-like abilities which look to infect new systems that share the same network with the victim. It can propagate throughout local networks through known exploits such as the SMB EternalBlue exploit used during the well known WannaCry ransomware outbreak. This is done with the sole purpose of infecting and adding even more systems to the mining pool, giving those behind the malware more computing power to mine for bitcoin. 

Beapy/PCASTLE is also interesting because it has the capability to pause the crypto mining process should it find a popular game or gaming platform running on the device. Therefore suggesting that if the malware was to run alongside an application that required heavy CPU or GPU usage, it would impact the performance of the device and make it easier to be identified. 

Another defence mechanism used by its creators is that they constantly updated the threat’s modules. This means that the malware is always evolving, making it difficult for researchers to identify and analyse. 

Getting infected 

One of the most common methods for being infected is through a new attack vector which was not previously associated with cryptocurrency miners. DriveTheLife, a free application for Windows which allowed users to find and install driver updates or backup and restore drivers, along with similar applications was being used as a way for developers to perform a supply chain attack on the application. This was done by tampering with a component within DriveTheLife that is normally responsible for downloading and executing files from a legitimate domain and manipulating it to download a malicious payload on the victim’s machine from a rogue domain. 

While much of this goes on without users knowing, hijacking computing power can open the door up to far more malicious threats. Despite many users not realising they have been infected, the fact that a threat actor has been able to install a cryptominer on a device without the user noticing is worrying. The best way to stay protected is ensuring that customers and businesses use endpoint security that can identify these hard to find threats. Then it’s all about keeping updated your security solutions, operating systems, and pretty much any application installed on your system. Malware may change shape quickly but ultimately it exhibits the same malicious behaviour, which can easily be spotted by a best-of-breed security solution that’s protecting your system. 

About the Author

Liviu Arsene is Senior e-threat analyst at Bitdefender. Bitdefender delivers robust cybersecurity that earned the trust of families and corporations from over 150 countries. We are led by a vision to be the most trusted cybersecurity technology provider in the world, which means we constantly anticipate, innovate, and go the extra mile.

Featured image: bluebudgie.