As cryptocurrency-mining malware becomes more popular among cybercriminals, they're altering their tactics in order to increase the chances of making as much money as possible from exploited systems -- now even going as far as killing other cryptojacking malware that has previously compromised the same servers.
Researchers at Minerva Labs uncovered a new form of cryptocurrency-mining malware, dubbed GhostMiner, which uses fileless malware delivery techniques to land on systems. If other cryptojacking malware is already on the system, it will fight to remove it in order to earn Monero.
The mining elements of GhostMiner are built into a malicious Windows executable. It takes advantage of PowerShell frameworks to deploy fileless techniques that hide the malware to such an extent it went undetected by a number of security products.
GhostMiner spreads by looking to attack WebLogic servers, which researchers suggest is achieved by randomly probing IP addresses every second in the hope of finding a target.
Download now: Information security policy
In order to ensure the most success possible, GhostMiner works to eliminate any other malicious mining tool installed on the system before it begins to acquire Monero for itself.
Researchers note that the malware uses a number of techniques to eliminate the competition. These include killing running miners by using PowerShell's "Stop-Process-force" command with the aid of a hard-coded blacklist, stop and delete blacklisted miners, and even removing miners which are run as blacklisted scheduled tasks.
GhostMiner will also stop and remove miners by going through the list of established TCP connections, looking for ports associated with miners before stopping them.
However, despite the aggressive tactics employed, GhostMiner has only made those behind it a small amount of money in the space of just over three weeks: 1.03 Monero, which works out to just over $200. Nonetheless, criminals may have successfully hidden additional funds elsewhere.
"It is highly plausible that there are other addresses used in this campaign, undetectable due to Monero's anonymity features," wrote Minerva researchers Asaf Aprozper and Gal Bitensky.
In order to combat this form of cryptocurrency mining attack, Minerva has provided a modified version of the 'killer script' to help incident response teams write their own PowerShell scripts for removing malicious miners.
Cryptocurrency mining has become increasingly popular among cybercriminals as means of easily -- and quietly -- making money. It has even become popular to such an extent that it has become as lucrative as ransomware.
Recent and related coverage
The ABC first reported that staff are being investigated by the Australian Federal Police for allegedly mining cryptocurrency on the bureau's computers.
An advertising network has come up with a way to ignore ad blockers in order to serve cryptocurrency mining scripts to visitors.
Attacks first took place in March 2017 and are being carried out by Russian cybercrime gangs, says Kaspersky Lab.
READ MORE ON CYBERCRIME
- Cryptocurrency mining malware uses five-year old vulnerability to mine Monero on Linux servers
- Nearly 50K websites infected with cryptocurrency mining malware, research finds [TechRepublic]
- Cyber attackers are cashing in on cryptocurrency mining - but here's why they're avoiding bitcoin
- How to stop websites from using your computer to mine Bitcoin (and more) [CNET]
- Cryptojacking attack uses leaked EternalBlue NSA exploit to infect servers