More than 50% of all computing systems at a European international airport were recently found to be infected with a Monero cryptominer linked to the Anti-CoinMiner campaign Zscaler spotted during August 2018.
The cryptojacking attack was discovered by Cyberbit’s Endpoint Detection and Response team while deploying their security solution whose behavioral engine subsequently detected suspicious activity on some airport systems.
“The malware may have been used for months prior to the installation of Cyberbit EDR, although all workstations were equipped with an industry-standard antivirus,” said Cyberbit.
Luckily, besides affecting the infected systems’ overall performance and leading to increased power consumption, the XMRig Monero miner did not impact the airport’s operations.
Attack detected using behavioral analytics
While the cryptominer used to infect the airport’s computers was identified over a year ago, the attackers modified it sufficiently enough to make sure that it will not be identified by anti-malware software.
“The malware we found was first discovered by Zscaler more than a year ago,” found Cyberbit. “It was modified just enough to evade the vast majority of existing signatures for it, with only 16 out of 73 detection products on VirusTotal detecting the sample as malicious.”
Cyberbit discovered the infection because the threat actors repeatedly launched PAExec, a redistributable version of the legitimate Microsoft tool PsExec, a light-weight utility for executing processes remotely on other systems.
The tool was used for privilege escalation and it allowed them to launch an executable named Player “in system mode,” making it possible to gain maximum user privileges on the compromised systems.
VirusTotal detection rate
“System mode provides maximum privileges, so the miner would take priority over any other application for the use of workstation resources,” says the report.
“This impacts the performance of other applications, as well as that of the airport facility. The use of administrative privileges also reduces the ability for security tools to detect the activity.”
“The use of PAExec is often an indication of malicious activity, moreover the repeated use of the tool,” added the Cyberbit researchers.
Fileless malware tactics used to avoid detection
The attackers also used Reflective Dynamic-Link Library (DLL) loading (also known as Reflective DLL injection) — a known detection evasion technique used by malware operators — to inject malicious DLLs into a host process running in memory without using the Windows loader and completely bypassing the infected systems’ hard drives.
PAExec was also added by the malware into the systems’ registries to gain persistence to make sure that the airport employees can’t get rid of the infection by rebooting the impacted computers.
Registry entries added to gain persistence
While the infection vector is not yet known, the attackers could have used a wide range of methods, from dropping malicious payloads via phishing emails or infecting the systems with miners hidden in seemingly benign files using steganography, to using drive-by downloads for dropping a cryptominer binary or exploiting vulnerable servers [1, 2, 3] running on the airport’s network.
“In a worst-case scenario, attackers could have breached the IT network as a means to hop onto the airport’s OT network in order to compromise critical operational systems ranging from runway lights to baggage handling machines and the air-train, to name a few of the many standard airport OT systems that could be cyber-sabotaged to cause catastrophic physical damage,” concludes Cyberbit.