A security company found XMRig cryptocurrency miner malware running in more than half of the workstations in a European international airport despite having an industry-standard anti-virus installed. Reports said Cyberbit discovered the campaign – identified as the Anti-CoinMiner malware discovered in August 2018 by Zscaler – running in the background while undergoing a standard installation of an endpoint product. Aside from an increase in power consumption from the affected systems, the malware did not affect airport operations.
Kernel-level agents of an endpoint detection and response (EDR) product were undergoing a standard rollout process when it detected repeated endpoint activities. The behavioral algorithm found PAExec – a redistributable version of legitimate tool PsExec – launching an application player.exe several times in a short period in infected systems. It enabled the malicious actors to have escalated administrative privileges so the miner is prioritized for the use of workstation resources. Adding PAExec in the registries also enabled persistence, making sure that the employees are unable to remove the malware by rebooting.
The malicious actors also used Reflective Dynamic-Link Library (Reflective DLL) loading to prevent detection of the malicious files loading. Remotely injecting the malicious DLL in the process memory instead of the Windows loader bypasses the hard drives, thereby evading detection.
While unable to determine the delivery method of the malware, security researchers attest that the cryptominer malware’s presence in the workstations could have affected the quality of service in the airport. At its worst, increased power consumption could have resulted in service and operation interruptions in the facility, or breached the network to compromise critical systems and service machines resulting in costly physical damages and sabotage.
Malicious cryptocurrency miners continue developing their arsenal to compromise critical systems and enterprise facilities, using new techniques for persistence and evasion. System hardware can degrade and lose their asset value faster than average because of increased usage, so users should be aware of the newest attack techniques from these kinds of campaigns.
Here are some best practices users can apply to defend against these kinds of threats:
Apply patches to update security and system software to prevent attacks and infections using exploits.
Configure the security settings of systems and devices connected to the enterprise network.
Security audits in systems and networks should be performed at regular intervals to scan, detect, and block suspicious activities.
Install and enable a multilayered protection system capable of behavioral monitoring to defend against known and unknown threats.