This article was originally published in Brilliance Security Magazine on July 27, 2018.
Kaspersky Lab reported yesterday, “Recently, an interesting miner implementation appeared on Kaspersky Lab’s radar. The malware, which we dubbed PowerGhost, is capable of stealthily establishing itself in a system and spreading across large corporate networks infecting both workstations and servers. This type of hidden consolidation is typical of miners: the more machines that get infected and the longer they remain that way, the greater the attacker’s profits.”
“Cryptocurrency miners have topped the list of bad actors’ favorite weapons. Relatively easy to install, bad actors can quickly mine digital coins by hijacking unsuspecting victims’ machines and devices. Increasingly, organized, sophisticated cybercrime rings are targeting corporations. Those large systems and networks give them access to CPU power and valuable data.”
This alarming new trend robs enterprises of their valuable processing power and slows down business processes. Cryptomining is seen as becoming a replacement for more traditional ransomware.
In this blog post, Vladas Bulavas and Anatoly Kazantsev maintain that “It appears the growing popularity and rates of cryptocurrencies have convinced the bad guys of the need to invest in new mining techniques – as our data demonstrates, miners are gradually replacing ransomware Trojans.”
ComputerWeekly reported, “PowerGhost, is noteworthy for businesses as it appears to be focused on corporate environments in attacks in Brazil, Colombia, India, and Turkey. The malware has also been detected in low concentrations so far in the US, Canada, Western Europe and Russia.” ZDNet added, “the fileless malware can secretly embed itself on a single system on a network then spread to other PCs and servers across organizations” and explained that “Infections begin with the use of exploits or remote administration tools such as Windows Management Instrumentation. PowerGhost also uses fileless techniques to discreetly go about its business and ensure it isn’t detected on the network. By adopting this tactic, the PowerGhost miner isn’t stored directly on the hard drive of the infected machine, making it harder to detect.
When asked to comment on these reports, Chris Olson, CEO of The Media Trust (www.mediatrust.com), provided the following:
“Cryptocurrency miners has topped the list of bad actors’ favorite weapons. Relatively easy to install, bad actors can quickly mine digital coins by hijacking unsuspecting victims’ machines and devices. Increasingly, organized, sophisticated cybercrime rings are targeting corporations. Those large systems and networks give them access to CPU power and valuable data. To profit from their attacks, they are combining cryptomining software with a growing arsenal of techniques and exploits to escape detection, mine currency, increase payload, and steal data. Corporations will need to fortify their cyber defenses with a variety of tools and solutions. Of rising importance are the websites, which are a frequent port of entry, especially for cryptomining malware. Since most if not all enterprises have websites, they need to apply better security protections to their digital ecosystems that include real-time scanning to identify and thwart suspicious code that can otherwise wreak havoc with a company’s systems and networks.”
As new cybersecurity mitigation strategies are always being developed so users should keep software updated on all devices. Less traditional computing platforms are often the target of cryptominers, so users should not overlook any IoT devices under their control. A dedicated security solution that is empowered with application control, behavior detection, and exploit prevention components that monitor the suspicious actions of applications and blocks malicious file executions is recommended.
