Cryptojacking, the infected computer with malware to mine cryptocurrency, has seen prices drop along with cryptojacking. The virus and its propagators are adapting, just like any other dextrous organism that is facing extinction. According to Symantec, cryptojacking incidents dropped 52 percent between January 2018 and January 2018, but the delivery, execution, and targeting methods have become more sophisticated.
Systematec
Symantec’s most recent report focused on Beapy. This is a cryptojacking campaign that targets business and enterprise in Asia. The virus spreads via email using a software exploit called EternalBlue that was developed by the United States’ NSA. Symantec was first to notice the threat in January this year.
The virus infected over 2,000 devices in March, and has continued to rise steadily since.
“This campaign shows that cryptojacking is less popular with cyber criminals than it was at the peak in 2018, but it is still a focal point for some of them, with businesses now their primary target,” states the introduction to this report.
Symantec Graph
The report states that 98 percent are infected by ransomware. This is consistent with 2018 trends in ransomware attacks, where a decrease in overall threats was correlated with an increase of enterprise-focused infections. Allan Neville, Symantec Threat Intelligence Analyst, said that these attacks can “[render] some devices inoperable due to high CPU usage.”
China is the main target of this attack, dwarfing all other countries affected with an astounding 83 percent share. Other countries affected include Japan, South Korea and Hong Kong, Taiwan and Bangladesh, Philippines, and – the only two from the Eastern Hemisphere – Jamaica and Japan.
Virus Infection Strategy
Infected Excel spreadsheets spread the virus to Windows computers. Once the spreadsheet was opened, it would open a backdoor to the computer’s OS. It made use of the DoublePulse exploit, which was also leaked in the same batch cyber tools that gave attackers the EternalBlue vector.
The virus files could be spread “laterally across networks” by exploiting a weakness in Windows’ Server Message Block protocol.
The mining malware also stole credentials such as usernames and passwords from infected devices in order to spread to other computers within a network. The firm also discovered Beapy versions on a public-facing server by using a list IP addresses to create a hitlist of potential victims.
More upside than before
One of the most striking findings from the study is that Beapy differs from the cryptojacking malware used when infections were at their peak in early 2018.
These campaigns used browser-based miners in large part. These viruses used the Coinhive protocol to mine Monero for charity. This protocol was used by UNICEF and other sites like UNICEF. The report suggests that Coinhive shut down operations in March 2019 due to Monero’s sharp decline in the bear market and a steady decline of cryptojacking.
Beapy does not rely on browser mining and instead uses a more lucrative and complex file-mining approach. File mining is more efficient than browser mining and can yield a higher return than browser mining. For example, the average 30-day return on this technique could net the virus’s blackhats $750,000. This makes the return of browser mining seem paltry at $30,000.
Image courtesy Symantec
Neville said that file-based coinmining is not new, despite it being on the rise. It’s just “taken back a seat to browser-based cryptomining the last couple of years” because it requires less technical skill.
He said, “The launch Coinhive – and its ready-made scripts – has lowered this barrier even more.”
A computer can still run browser mining even if it is protected against the virus.
Neville stated that it was too early to know if there will be a resurgence of file-based mining as opposed to browser-based. However, detection and protection against Coinminers will improve, so cyber criminals will start looking for “alternative revenue streams.”
“As cybercriminals improve their tactics, we’ve also observed that their approach becomes more specific.”
Defending against the Threat
The report concludes by listing side effects of cryptojacking infections such as device overheating, excessive battery consumption, and possible device degradation.
It also outlines the security measures that companies can take in order to protect themselves against such attacks. Companies can use security solutions on the hardware and software sides, including firewalls, vulnerability assessments, robust passwords, and multi-factor authentication.
Education is crucial for employees. The report teaches lessons about cryptojacking and how to spot it. Many of these points were reiterated by Neville at the end our correspondence.
Businesses should ensure that employees are trained to recognize and report phishing email sent to them by malware-deliversers. They should also implement overlapping and mutually supporting defensive systems to protect against single-point failures in any technology or protection method. This includes the deployment of endpoint, web, and email protection technologies, firewalls, and vulnerability assessment solutions. It is important to keep these security systems up-to-date with the most recent protections and to ensure that systems are protected against exploits like EternalBlue.