Blog Details

Security against increasingly advanced Cryptojackers using Hardware-based Threat Technology

Posted by Marbenz Antonio on September 6, 2022

Despite the recent decline in the value of cryptocurrencies, cryptojackers—trojanized currency miners that attackers disseminate to leverage the processing power of infected devices for their purposes—remain common. Every month for the previous few months, Microsoft Defender Antivirus has found cryptojackers on tens of thousands of computers. Additionally, these threats are still developing: recent cryptojackers have improved their secrecy by using living-off-the-land binaries (LOLBins) to avoid detection.

Figure 1. Chart showing number of devices on which Microsoft Defender Antivirus detected cryptojackers from January to July 2022.

Microsoft Defender Antivirus integrates with Intel® Threat Detection Technology (TDT), which applies machine learning to low-level CPU telemetry to detect threats even when the malware is obfuscated and can evade security tools, to provide advanced protection against these increasingly complex and evasive threats.

The defender uses this silicon-based threat detection to examine signals from the CPU performance monitoring unit (PMU) to find the “fingerprint” of malware code execution at runtime and to learn more about the CPU, where malware is ultimately executed. Effective defense against cryptojacking is made possible by the technology’s combination of monitoring at the hardware level, CPU usage pattern analysis, and use of threat intelligence and machine learning at the software level.

We discuss specifics from our monitoring and observation of cryptojackers in this blog article, as well as how the combination of Intel TDT and Microsoft Defender Antivirus detects and neutralizes this complex threat.

Analyzing the landscape of cryptojackers at the moment

Without the user’s knowledge or consent, there are lots of ways to force a device to mine bitcoin. The following are the three methods that cryptojackers most usually utilize:

• Executable: These are often malicious executable files or potentially unwanted applications (PUAs) that are installed on the devices to process bitcoins using the system resources.
• Browser-based: These miners often take the form of JavaScript (or similar technology) and operate in web browsers, using up resources on the website where they are hosted for as long as the browser is open. These miners are usually introduced without the owner’s knowledge or consent to trustworthy websites. In other instances, the miners are purposefully incorporated within websites that visitors would visit that are operated by attackers or are of lower quality.
• Fileless: These cryptojackers use legitimate tools and LOLBins to carry out mining in a device’s memory and maintain persistence.

Malicious code that is present in either the filesystem or a website and that is very simple to identify and block is used in both the executable and browser-based techniques. The fileless method, on the other hand, makes use of preinstalled tools or local system binaries to mine utilizing the device’s RAM. With this strategy, attackers can accomplish their objectives without depending on particular codes or files. Additionally, the fileless method makes it possible for cryptojackers to be supplied covertly and avoid detection. As a result, attackers find the fileless approach more appealing.

Even if newer cryptojackers employ the fileless method, one way to spot cryptojacking activity is when it communicates with the hardware that its mining algorithm depends on.

Misuse of LOLBins in recent cryptojacking campaigns

Microsoft Defender Antivirus detects cryptojackers on more than 200,000 devices per day using a variety of sensors and innovative detection techniques, including its connection with Intel TDT.

Figure 2. Chart showing the number of devices targeted by cryptojackers that misuse legitimate system binaries observed July 25-31, 2022.

In campaigns that have been seen, attackers strongly favor the misuse of notepad.exe over a lot of legitimate system utilities.

Figure 3. The chart shows that notepad.exe is the most abused tool based on the cryptojacking attacks observed from July 25-31, 2022.

We investigated a fascinating cryptojacking operation that made use of notepad.exe and some other programs to carry out its operations. An improved version of the cryptojacker known as Mehcrypt was employed in this campaign. This is a significant improvement over the previous version, which used a script to access its command-and-control (C2) server and download additional components that later carried out malicious actions. The new version also condenses all of its routines into a single script and connects to a C2 server in the final stage of its attack chain.

An archive file containing autoit.exe and a heavily disguised, randomly named.au3 script serves as the threat’s delivery device. Autoit.exe is started when the archive file is opened, and it decodes the.au3 script in memory. When the script is executed, it continues to decode more obfuscation layers and loads more decoded scripts into memory.

Figure 4. Infection chain of a new variant of Mehcrypt leveraging several binaries to launch its malicious routines.

The script then places a copy of itself and autoit.exe in a C:ProgramData folder with an optional name. The script sets autostart registry entries to run the script each time the device begins and sets a scheduled task to remove the original files.

Figure 5. The malware creates an autostart registry entry to maintain persistence.

The software first adds persistence mechanisms, uses process hollowing to load malicious code into VBC.exe, and then connects to a C2 server to listen for commands. The script uses process hollowing to load its cryptojacking code into notepad.exe based on the C2 response.

A sharp increase in CPU use can be seen at this moment as the malware launches its cryptojacking operation using malicious code injected into notepad.exe:

Figure 6. CPU usage shows a significant spike and continued maximum utilization as malicious activities are carried out. 

Both Intel TDT and Microsoft Defender Antivirus examine this unusually high CPU utilization in real time. Microsoft Defender Antivirus blocks the execution of the process (Behavior: Win32/CoinMiner.CN!TDT), and Microsoft Defender for Endpoint raises an alert based on Intel TDT’s machine learning-based correlation of CPU telemetry and other suspicious activities like process injection into system binaries.

Technology for advanced threat detection helps stop cryptojacking activities

Microsoft Defender Antivirus and Intel TDT jointly monitor and correlate hardware and software threat data to find evasive cryptojackers. Utilizing signals from the CPU, Intel TDT uses machine learning to identify patterns that resemble cryptojacking activities. The action is then recognized and blocked at the software level using these signals, threat information, and machine learning algorithms from Microsoft Defender Antivirus.

To provide continuous monitoring, Intel TDT has implemented some performance improvements and optimizations, such as shifting the machine learning inference to Intel’s integrated graphics processing unit (GPU). From the 6th generation onward, Intel Core™ processors and platforms bearing the Intel vPro® name are compatible with this feature. When appropriate, Microsoft Defender Antivirus uses these offloading features by design.

The threat intelligence that feeds into products like Microsoft Defender Antivirus and Microsoft Defender for Endpoint, where information is transformed to customer security in real-time, is powered by Microsoft’s consistent monitoring of the threat landscape in addition to industry collaborations.

Here at CourseMonster, we know how hard it may be to find the right time and funds for training. We provide effective training programs that enable you to select the training option that best meets the demands of your company.

For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com