Alex Smith
by on November 3, 2018
One of the latest trends in information security is the growth of rogue cryptocurrency miners on the computers of private users and also inside corporate networks. According numerous malware reports, crypto miners today are the most popular type of threat. As an example, let’s discuss hidden mining with the help of PowerGhost - a tool focused specifically on business PCs. PowerGhost appeared in the middle of summer 2018. It is interesting that PowerGhost can be distributed in several ways at once. One way is through the same vulnerability as the WannaCry ransomware virus. This is a vulnerability in the SMBv1 protocol present in all Windows systems (starting with Windows XP) To get infected your employees do not need to visit suspicious sites, click on links in phishing emails, etc. Passing to the next workstation through known vulnerabilities or a remote administration tool, PowerGhost get deep inside the system and starts hidden mining. In parallel, PowerGhost attempts to spread to other computers on the local network using accounts of the infected system. PowerGhost does not steal user data and does not extort money, but it uses valuable computing resources. For an infected company, this translates into higher electricity bills. The power consumption of the average workplace of an ordinary employee increases fivefold. Equipment also gets overheated and soon fails to function properly. Moreover, such hidden mining is launched on both workstations and servers. Unfortunately, it is quite difficult to calculate the damage from PowerGhost infection in monetary terms. PowerGhost can cleverly bypass corporate protection. Some of its versions check whether it is launched in the sandbox and does not write files to the hard disk in order to hide from antivirus programs, and the user himself. Naturally, PowerGhost is not the only such tool. Recently, analysts have noted a surge in the so-called fileless malware. By the way, crypto miners also spread through removable media. According to Kaspersky Lab, flash drives infected with crypto miners have been detected since 2015. PowerGhost allowed me to note an interesting tendency. As it already happened to ransomware (like GandCrab), hidden miners move from infecting home users to infecting businesses. There is more potential benefit there. If this type of threat continues to evolve with the current pace, in the near future it will be necessary to be afraid of targeted attacks on certain organizations that have large computing power. The miner program should exchange information with specialized hosts - miner pools, to receive and send data on the work done. As a rule, these connections are clearly visible on corporate gateways and proxy servers. The second sign can be user complaints about the system freeze (mining requires significant computational power). Modern antiviruses are able to detect and block the work of miners using various methods and components, for example, using white lists of firewalls and tools that control the launch of programs. Additionally, corporate network administrators can conduct software inventory and thus find unwanted miners and scripts both directly on end nodes and using systems that analyze corporate network traffic.
Be the first person to like this.
Page generated in 0.3681 seconds with 13 queries and GZIP enabled on