European Airport Systems Infected With Monero-Mining Malware

More than 50% of all computing systems at a European international airport were recently found to be infected with a Monero cryptominer linked to the Anti-CoinMiner campaign Zscaler spotted during August 2018.

- Advertisement -

The cryptojacking attack was discovered by Cyberbit’s Endpoint Detection and Response team while deploying their security solution whose behavioral engine subsequently detected suspicious activity on some airport systems.

“The malware may have been used for months prior to the installation of Cyberbit EDR, although all workstations were equipped with an industry-standard antivirus,” said Cyberbit.

Luckily, besides affecting the infected systems’ overall performance and leading to increased power consumption, the XMRig Monero miner did not impact the airport’s operations.

Attack detected using behavioral analytics

While the cryptominer used to infect the airport’s computers was identified over a year ago, the attackers modified it sufficiently enough to make sure that it will not be identified by anti-malware software.

“The malware we found was first discovered by Zscaler more than a year ago,” found Cyberbit. “It was modified just enough to evade the vast majority of existing signatures for it, with only 16 out of 73 detection products on VirusTotal detecting the sample as malicious.”

Cyberbit discovered the infection because the threat actors repeatedly launched PAExec, a redistributable version of the legitimate Microsoft tool PsExec, a light-weight utility for executing processes remotely on other systems.

- Advertisement -

The tool was used for privilege escalation and it allowed them to launch an executable named Player “in system mode,” making it possible to gain maximum user privileges on the compromised systems.

VirusTotal detection rate

“System mode provides maximum privileges, so the miner would take priority over any other application for the use of workstation resources,” says the report.

- Advertisement -

“This impacts the performance of other applications, as well as that of the airport facility. The use of administrative privileges also reduces the ability for security tools to detect the activity.”

“The use of PAExec is often an indication of malicious activity, moreover the repeated use of the tool,” added the Cyberbit researchers.

Fileless malware tactics used to avoid detection

The attackers also used Reflective Dynamic-Link Library (DLL) loading (also known as Reflective DLL injection) — a known detection evasion technique used by malware operators — to inject malicious DLLs into a host process running in memory without using the Windows loader and completely bypassing the infected systems’ hard drives.

PAExec was also added by the malware into the systems’ registries to gain persistence to make sure that the airport employees can’t get rid of the infection by rebooting the impacted computers.

Registry entries added to gain persistence

While the infection vector is not yet known, the attackers could have used a wide range of methods, from dropping malicious payloads via phishing emails or infecting the systems with miners hidden in seemingly benign files using steganography, to using drive-by downloads for dropping a cryptominer binary or exploiting vulnerable servers [1, 2, 3] running on the airport’s network.

“In a worst-case scenario, attackers could have breached the IT network as a means to hop onto the airport’s OT network in order to compromise critical operational systems ranging from runway lights to baggage handling machines and the air-train, to name a few of the many standard airport OT systems that could be cyber-sabotaged to cause catastrophic physical damage,” concludes Cyberbit.

Source

Previous Articles:

- Advertisement -

Latest

Google Chrome to Distrust Chunghwa Telecom, Netlock Certificates

Google will stop trusting digital certificates from Chunghwa Telecom and Netlock starting August 2025.All TLS certificates from these authorities issued after July 31, 2025,...

Ethereum Foundation Restructures R&D Teams With “Protocol” Division

Ethereum Foundation is restructuring its Protocol Research & Development teams under a new initiative called "Protocol." The initiative focuses on three main goals: scaling the...

AUSTRAC Imposes $5,000 Limit on Crypto ATM Cash Transactions

Australia introduces a $3,250 limit on crypto ATM cash transactions to address rising scam activity. AUSTRAC sets new rules for crypto ATM operators, including enhanced...

Ethereum Foundation Lays Off R&D Staff Amid Protocol Restructuring

Ethereum Foundation has laid off some research and development staff as part of a restructuring.The organization is renaming its Protocol Research and Development division...

Hyperliquid Trader James Wynn Gambles Donations, Faces Losses Again

Crypto trader James Wynn used over $20,000 in donations to fuel a high-risk bet on the Hyperliquid exchange. The funds boosted his $100 million Bitcoin...

Must Read

7 Best NFT Marketplaces for Every Need

Open Sea | Pianity | Foundation | Magic Eden | SuperRare | Rarible | Theta Drop | Other Platforms | About NFTs | FAQ...