sb-au logo
Story image

Carbon Black discovers evolution of popular cryptomining campaign

02 Sep 2019

Endpoint protection solutions provider Carbon Black recently released a threat report outlining how a well-known cryptomining campaign has been enhanced to steal system access information for possible sale on the dark web.

Dubbed “Access Mining” by Carbon Black researchers, this particular attack stands to affect more than 500,000 computers around the world.

The methods used could pave the way for more dangerous and far-reaching attacks as threats considered lower priority can open the door for more advanced, targeted attacks that can be sold to the highest bidder.

The discovery was made after the CB ThreatSight team alerted Carbon Black’s TAU about unusual behaviour seen across a handful of endpoints.

The ensuing investigation revealed sophisticated, multi-stage malware that was sending detailed system metadata to a network of hijacked web servers, presumably for the purposes of resale on one (or many) remote access marketplaces across the dark web.

Carbon Black TAU researchers Greg Foss and Marina Liang presented their research in a report Access Mining: How a Prominent Cryptomining Botnet is Paving the Way for a Lucrative and Illicit Revenue Model.

“Access Mining is a tactic where an attacker leverages the footprint and distribution of commodity malware, in this case, a cryptominer, using it to mask a hidden agenda of selling system access to targeted machines on the dark web,” the researchers say.

“This discovery indicates a bigger trend of commodity malware evolving to mask a darker purpose and will likely catalyse a change in the way cybersecurity professionals classify, investigate and protect themselves from threats.”

The report’s key findings include:

At least 500,000 machines affected
60% of victims derived from the Asia Pacific region, and the rest from Russia and Eastern Europe.

Threat actors are increasingly using repurposed tools, modified exploits and stolen infrastructure
In previous campaigns, this threat actor used a modified version of XMRig to perform Monero mining.
In addition to the modified XMRig, our research showed that the group now uses readily available malware and open source tooling, such as Mimikatz and EternalBlue, which have been modified for purposes to pivot from infected systems and expand their campaign’s reach.

Newly uncovered link between Smominru and MyKings
This investigation highlights an unexpected link between Smominru cryptomining campaign and the MyKings botnet, which is outlined in the full report.

Rapid evolution thanks to open source exploits
Modified versions of Cacls, XMRig and EternalBlue were used in this campaign. Obtaining the bulk of the code via open-source sites like GitHub likely sped up the innovation to Access Mining, the researchers found.

Combining commodity malware with access-for-sale is lucrative at scale
The business model for Access Mining typically combines a profit stream from cryptomining with a profit stream from selling system access. Both can be highly lucrative (from some estimates on the latest discoveries, profit can be as much as $1.6 million annually) if done at scale.

“This discovery demonstrates how virtually any company could be leveraged in a targeted attack—even if that company lacks a worldwide brand, known intellectual property assets, or a Fortune 1000 listing,” the researchers say.

“Access Mining represents a scalable and economical approach for an adversary to find valuable targets.”

Link image
Webinar: How to navigate an increasingly crowded field of security solutions
Tools need to be organised and managed, issues need to be explored and resolved and all of this takes money and time. Find out more in this immersive webinar.More
Story image
Plugging the gaps: Australian organisations are leaving their defence barriers wide open
Cybercriminals are are walking through the gaping holes in Australia’s organisational defences – gaps that leadership teams don’t even realise are there.More
Story image
High-tech heist: why fending off ransomware attacks is more challenging than ever in 2020
The COVID-19 crisis has unleashed a wave of sophisticated and disruptive ransomware attacks, and the onus is on businesses to ramp up their security measures if they’re to avoid falling victim, writes Attivo Networks regional director for A/NZ Jim Cook.More
Story image
How security awareness training can safeguard companies from cyber-attacks
Training goes a long way in embedding a culture of cybersecurity compliance within the company.More
Story image
The guide to digital security in unstable times
An increase in vulnerability across different sectors has meant that 2020 has seen more than its fair share of cybersecurity incidents. One of the most effective ways to combat the perils of today’s cyber-threats is to gain a better knowledge of the threat vectors looming over the heads of organisations. More
Story image
Revealed: The behaviours exhibited by the most effective CISOs
As cyber-threats pile up, more is being asked of CISOs - and according to Gartner, only a precious few are 'excelling' by the standards of their CISO Effectiveness Index.More