Hacker vs hacker: This cryptojacking malware kills off its rivals to ensure maximum profit

The cryptocurrency-mining malware uses highly aggressive tactics -- which researchers have reverse engineered to help provide protection.
Written by Danny Palmer, Senior Writer

As cryptocurrency-mining malware becomes more popular among cybercriminals, they're altering their tactics in order to increase the chances of making as much money as possible from exploited systems -- now even going as far as killing other cryptojacking malware that has previously compromised the same servers.

Researchers at Minerva Labs uncovered a new form of cryptocurrency-mining malware, dubbed GhostMiner, which uses fileless malware delivery techniques to land on systems. If other cryptojacking malware is already on the system, it will fight to remove it in order to earn Monero.

The mining elements of GhostMiner are built into a malicious Windows executable. It takes advantage of PowerShell frameworks to deploy fileless techniques that hide the malware to such an extent it went undetected by a number of security products.

GhostMiner spreads by looking to attack WebLogic servers, which researchers suggest is achieved by randomly probing IP addresses every second in the hope of finding a target.

Download now: Information security policy

In order to ensure the most success possible, GhostMiner works to eliminate any other malicious mining tool installed on the system before it begins to acquire Monero for itself.

Researchers note that the malware uses a number of techniques to eliminate the competition. These include killing running miners by using PowerShell's "Stop-Process-force" command with the aid of a hard-coded blacklist, stop and delete blacklisted miners, and even removing miners which are run as blacklisted scheduled tasks.

GhostMiner will also stop and remove miners by going through the list of established TCP connections, looking for ports associated with miners before stopping them.

However, despite the aggressive tactics employed, GhostMiner has only made those behind it a small amount of money in the space of just over three weeks: 1.03 Monero, which works out to just over $200. Nonetheless, criminals may have successfully hidden additional funds elsewhere.

Now read: What is malware? Everything you need to know about viruses, trojans and malicious software

"It is highly plausible that there are other addresses used in this campaign, undetectable due to Monero's anonymity features," wrote Minerva researchers Asaf Aprozper and Gal Bitensky.

In order to combat this form of cryptocurrency mining attack, Minerva has provided a modified version of the 'killer script' to help incident response teams write their own PowerShell scripts for removing malicious miners.

Cryptocurrency mining has become increasingly popular among cybercriminals as means of easily -- and quietly -- making money. It has even become popular to such an extent that it has become as lucrative as ransomware.

Recent and related coverage

Bureau of Meteorology staff questioned by AFP over cryptocurrency mining: Report

The ABC first reported that staff are being investigated by the Australian Federal Police for allegedly mining cryptocurrency on the bureau's computers.

Ad network circumvents blockers to hijack browsers for cryptocurrency mining

An advertising network has come up with a way to ignore ad blockers in order to serve cryptocurrency mining scripts to visitors.

Telegram zero-day let hackers spread backdoor and cryptocurrency-mining malware

Attacks first took place in March 2017 and are being carried out by Russian cybercrime gangs, says Kaspersky Lab.


Editorial standards