News European Airport Systems Infected With Monero-Mining Malware

European Airport Systems Infected With Monero-Mining Malware

-

- Advertisment -

More than 50% of all computing systems at a European international airport were recently found to be infected with a Monero cryptominer linked to the Anti-CoinMiner campaign Zscaler spotted during August 2018.

The cryptojacking attack was discovered by Cyberbit’s Endpoint Detection and Response team while deploying their security solution whose behavioral engine subsequently detected suspicious activity on some airport systems.

“The malware may have been used for months prior to the installation of Cyberbit EDR, although all workstations were equipped with an industry-standard antivirus,” said Cyberbit.

Luckily, besides affecting the infected systems’ overall performance and leading to increased power consumption, the XMRig Monero miner did not impact the airport’s operations.

Attack detected using behavioral analytics

While the cryptominer used to infect the airport’s computers was identified over a year ago, the attackers modified it sufficiently enough to make sure that it will not be identified by anti-malware software.

“The malware we found was first discovered by Zscaler more than a year ago,” found Cyberbit. “It was modified just enough to evade the vast majority of existing signatures for it, with only 16 out of 73 detection products on VirusTotal detecting the sample as malicious.”

Cyberbit discovered the infection because the threat actors repeatedly launched PAExec, a redistributable version of the legitimate Microsoft tool PsExec, a light-weight utility for executing processes remotely on other systems.

The tool was used for privilege escalation and it allowed them to launch an executable named Player “in system mode,” making it possible to gain maximum user privileges on the compromised systems.

VirusTotal detection rate

“System mode provides maximum privileges, so the miner would take priority over any other application for the use of workstation resources,” says the report.

“This impacts the performance of other applications, as well as that of the airport facility. The use of administrative privileges also reduces the ability for security tools to detect the activity.”

“The use of PAExec is often an indication of malicious activity, moreover the repeated use of the tool,” added the Cyberbit researchers.

Fileless malware tactics used to avoid detection

The attackers also used Reflective Dynamic-Link Library (DLL) loading (also known as Reflective DLL injection) — a known detection evasion technique used by malware operators — to inject malicious DLLs into a host process running in memory without using the Windows loader and completely bypassing the infected systems’ hard drives.

PAExec was also added by the malware into the systems’ registries to gain persistence to make sure that the airport employees can’t get rid of the infection by rebooting the impacted computers.

Registry entries added to gain persistence

While the infection vector is not yet known, the attackers could have used a wide range of methods, from dropping malicious payloads via phishing emails or infecting the systems with miners hidden in seemingly benign files using steganography, to using drive-by downloads for dropping a cryptominer binary or exploiting vulnerable servers [1, 2, 3] running on the airport’s network.

“In a worst-case scenario, attackers could have breached the IT network as a means to hop onto the airport’s OT network in order to compromise critical operational systems ranging from runway lights to baggage handling machines and the air-train, to name a few of the many standard airport OT systems that could be cyber-sabotaged to cause catastrophic physical damage,” concludes Cyberbit.

Source

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest news

KryptoCibule: The Cryptostealing Malware

ESET antivirus researchers have announced the discovery of an unknown trojan malware family that spreads through malicious...

Crypterium Signs New Partnership with Apple Pay, Unveils its Virtual Card

In late 2017 when Bitcoin and other digital assets became quite popular, the consensus amongst enthusiasts was...

Top 5 Crypto Invoice Services for Making Business Administration Simpler

In the current economic landscape, the cryptocurrency’s worldwide adoption is picking up at an ever-increasing pace.

Data-Intensive Sector Has A Lot More To Explore With Blockchain Technology

Blockchain technology in Data-Intensive sectors is gaining huge recognition in the market. It is used in building...
- Advertisement -

4 Tips on How To Succeed on Bitcoin Trading

Bitcoin is a type of cryptocurrency which has grabbed the attention of countless people from different countries....

The First Cryptocurrency Bank License Is Now Granted

This is a historic development. A milestone in Bitcoin's path to broad acceptance and recognition. The State...

Must read

KryptoCibule: The Cryptostealing Malware

ESET antivirus researchers have announced the discovery...
- Advertisement -

Read Next
Recommended to you