A team of security researchers reported the discovery of a new technique used to install cryptocurrency miners without raising awareness that’s called Process Hollowing.
This is done by using a sophisticated dropper capable of delivering the intended malware. The main distinction between other virus infection techniques is that it will bypass the security mechanisms of the host as one of the first actions.
Process Hollowing Technique Used To Implant Cryptocurrency Miners
A team of security researchers discovered a dangerous hacker technique called Process Hollowing that has been used during infiltration attacks leading to infections with cryptocurrency miners. The campaign was detected in November and targeted several countries including the United Arab Emirates, India, Bangladesh, Kuwait, Thailand, Pakistan and Brazil. What’s particularly interesting is that the delivery is done via a special payload dropper. Instead of directly downloading and running the miner it will engage in several actions that will make it so that the system will not detect that malware. ode.
The dropper represents a special 64-bit binary that will contain packed malware code. Upon running the file several file verification checks will be made that will make sure that the delivered miner will be delivered intact. The conducted analysis shows that the relevant executable files which are encrypted and are decrypted in real-time using special algorithms. The criminals have also obfuscated the exact names of the final miner files. A special string will be called by the main engine which will give out the main arguments used by the cryptocurrency miner:
- Wallet Address
- Miner Pool Address
- Template Miner Arguments
The difference from other security bypass techniques is that the miner injection code will be placed inside a prepared file on the victim system. The actual code that runs the operations will be called from another file that will hide itself under a different extension and placed in another folder. The operating system and services will not consider this malicious as malicious behavior. The security researchers state that by utilizing this “skeletal code” the infections can remain undetectable for a very long period of time.
We remind our readers that cryptocurrency miners are one of the most dangerous infections. Instead of deleting files these small-sized scripts will download a lot of resource-intensive tasks from a remote server. They will place a heavy load on key components such as the CPU, memory ,disk space and GPU. When one of them is reported as complete the hackers will be rewarded with cryptocurrency directly to their digital wallets. It is very possible that in the future this mechanism can be used with other malware types.