European Airport Systems Infected With Monero-Mining Malware

More than 50% of all computing systems at a European international airport were recently found to be infected with a Monero cryptominer linked to the Anti-CoinMiner campaign Zscaler spotted during August 2018.

The cryptojacking attack was discovered by Cyberbit’s Endpoint Detection and Response team while deploying their security solution whose behavioral engine subsequently detected suspicious activity on some airport systems.

“The malware may have been used for months prior to the installation of Cyberbit EDR, although all workstations were equipped with an industry-standard antivirus,” said Cyberbit.

Luckily, besides affecting the infected systems’ overall performance and leading to increased power consumption, the XMRig Monero miner did not impact the airport’s operations.

Attack detected using behavioral analytics

While the cryptominer used to infect the airport’s computers was identified over a year ago, the attackers modified it sufficiently enough to make sure that it will not be identified by anti-malware software.

“The malware we found was first discovered by Zscaler more than a year ago,” found Cyberbit. “It was modified just enough to evade the vast majority of existing signatures for it, with only 16 out of 73 detection products on VirusTotal detecting the sample as malicious.”

Cyberbit discovered the infection because the threat actors repeatedly launched PAExec, a redistributable version of the legitimate Microsoft tool PsExec, a light-weight utility for executing processes remotely on other systems.

The tool was used for privilege escalation and it allowed them to launch an executable named Player “in system mode,” making it possible to gain maximum user privileges on the compromised systems.

VirusTotal detection rate
VirusTotal detection rate

“System mode provides maximum privileges, so the miner would take priority over any other application for the use of workstation resources,” says the report.

“This impacts the performance of other applications, as…

Source Link