Monday, November 25, 2024
HomecryptocurrencyHackers Use Process Hollowing Technique to Deploy Monero Miner and Evade Defenses

Hackers Use Process Hollowing Technique to Deploy Monero Miner and Evade Defenses

Published on

Researchers observed a new crypto-mining malware campaign that uses a process hollowing method and a dropper component to deploy Monero miner on windows installations.

Process hollowing is a method to hide the presence of the process by replacing it with a secondary process. and the dropper file acts as a container. Malicious activity can be triggered only by supplying correct arguments.

The dropper file is not malicious, it needs a specific set command argument to trigger the malicious activity, this allows attackers to evade detection.

- Advertisement - SIEM as a Service

Monero Miner Infection

Trend Micro observed a sharp increase in malicious activity starting from November, the campaign primarily targets Kuwait, Thailand, India, Bangladesh, the United Arab Emirates, Brazil, and Pakistan.

“The dropper is a 64-bit binary packed with malicious code, upon execution it checks for certain arguments passed to it and verify it upon unpacking.”

The malware infection goes through two stages, the first stage performs an arithmetic operation on alphanumeric strings, researchers examined the alphanumeric string and it includes information including cryptocurrency wallet address which is the required argument to trigger the malicious activity.

Once the dropper executed with correct arguments it drops and executes the wakecobs[.]exe process in the suspended state and the dropper replaces the process memory malicious code which allows XMRig miner to run on the background.

The XMRig abuses the computer’s resources to mine Monero blocks, it causes the computer to overheat and to perform poorly.

Monero is the primary choice of crypto-mining malware operations because of it’s attractive features like untraceable transactions and proof-of-work algorithm CryptoNight which is suitable for normal PC CPUs without requiring any special devices.

Indicators of Compromise (IoCs)

SHA256

dd775ba66d6921035cc0cda61a6abff8f118a04a31eea082523157b48add4821
04b495ee51e370fc93f431553bfdb592f678543c432137016d9ba4c64901a92a

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities,...

Veritas Enterprise Vault Vulnerabilities Lets Attackers Execute Arbitrary Code Remotely

Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and...

7-Zip RCE Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been disclosed in the popular file archiving tool 7-Zip,...

Massive Credit Card Leak, Database of 1,221,551 Cards Circulating on Dark Web

A massive data breach has sent shockwaves across the globe, as a database containing...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Nearest Neighbor Attacks: Russian APT Hack The Target By Exploiting Nearby Wi-Fi Networks

Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as...

Earth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to...

145,000 ICS Systems, Thousands of HMIs Exposed to Cyber Attacks

Critical infrastructure, the lifeblood of modern society, is under increasing threat as a new...