Attackers now use process hollowing to hide cryptocurrency miners on your PC
Researchers have documented the use of a process hollowing technique to disguise the presence of cryptocurrency mining malware on infected systems.
On Wednesday, Trend Micro researchers Arianne Dela Cruz, Jay Nebre, and Augusto Remillano said that over November, a campaign striking targets across countries including Kuwait, Thailand, India, Bangladesh, the United Arab Emirates, Brazil, and Pakistan is using an interesting dropper component containing a malicious secret.
A file landing on a target system acts as both a malware dropper and container, but is not, in itself, malicious. Known as process hollowing, the file contains the main executable and cryptocurrency mining software, rendering them inactive, in order to bypass protective checks.
On its own, the 64-bit binary file has no use, contains only “skeletal code” and serving no malicious purpose.
The dropper “requires a specific set of command line arguments to trigger its malicious behavior,” the team says, and “leav[es] no trace for malicious activity detection or analysis to reference the file as malicious.”
In order to evade malware scans, the malicious code is hidden in a directory without an extension. Attackers can trigger the malware using particular arguments, leading to the malware becoming unpacked via a child process loaded in a suspended state and an XMRig Monero cryptocurrency miner being injected into the system.
Cryptocurrency is then silently mined in the background and the proceeds are sent to an attacker-controlled wallet.
“While the number of new routines for malicious cryptocurrency miners has increased, overall detections for coin mining activities have decreased this year,” Trend Micro notes. “We suspect that the cybercriminals behind this particular campaign may have been taking advantage of the decreased number of competitors especially as the year comes to a close.”
This week, the US Securities and Exchange Commission (SEC) filed charges against Shopin and its founder Eran Eyal for allegedly operating a fraudulent Initial Coin Offering (ICO) that defrauded investors out of $42 million.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0