Thursday, November 30, 2023

Hackers Use Process Hollowing Technique to Deploy Monero Miner and Evade Defenses

Researchers observed a new crypto-mining malware campaign that uses a process hollowing method and a dropper component to deploy Monero miner on windows installations.

Process hollowing is a method to hide the presence of the process by replacing it with a secondary process. and the dropper file acts as a container. Malicious activity can be triggered only by supplying correct arguments.

The dropper file is not malicious, it needs a specific set command argument to trigger the malicious activity, this allows attackers to evade detection.

Monero Miner Infection

Trend Micro observed a sharp increase in malicious activity starting from November, the campaign primarily targets Kuwait, Thailand, India, Bangladesh, the United Arab Emirates, Brazil, and Pakistan.

“The dropper is a 64-bit binary packed with malicious code, upon execution it checks for certain arguments passed to it and verify it upon unpacking.”

The malware infection goes through two stages, the first stage performs an arithmetic operation on alphanumeric strings, researchers examined the alphanumeric string and it includes information including cryptocurrency wallet address which is the required argument to trigger the malicious activity.

Once the dropper executed with correct arguments it drops and executes the wakecobs[.]exe process in the suspended state and the dropper replaces the process memory malicious code which allows XMRig miner to run on the background.

The XMRig abuses the computer’s resources to mine Monero blocks, it causes the computer to overheat and to perform poorly.

Monero is the primary choice of crypto-mining malware operations because of it’s attractive features like untraceable transactions and proof-of-work algorithm CryptoNight which is suitable for normal PC CPUs without requiring any special devices.

Indicators of Compromise (IoCs)

SHA256

dd775ba66d6921035cc0cda61a6abff8f118a04a31eea082523157b48add4821
04b495ee51e370fc93f431553bfdb592f678543c432137016d9ba4c64901a92a

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates

Website

Latest articles

Chrome Zero-Day Vulnerability That Exploited In The Wild

Google has fixed the sixth Chrome zero-day bug that was exploited in the wild this...

Iranian Mobile Banking Malware Steal Login Credentials & Steal OTP Codes

An Android malware campaign was previously discovered that distributed banking trojans targeting four major...

BLUFFS: Six New Attacks that Break Secrecy of Bluetooth Sessions

Six novel Bluetooth attack methods have been discovered, which were named BLUFFS (Bluetooth Forward...

Google Workspace’s Design Flaw Allows Attacker Unauthorized Access

Recent years saw a surge in cloud tech adoption, highlighting the efficiency through tools...

Serial ‘SIM Swapper’ Sentenced to Eight Years in Prison

In a digital age marred by deceit, 25-year-old Amir Hossein Golshan stands as a...

Design Flaw in Domain-Wide Delegation Could Leave Google Workspace Vulnerable to Takeover – Hunters

BOSTON, MASS. and TEL AVIV, ISRAEL, November 28, 2023 - A severe design flaw...

Hackers Behind High-Profile Ransomware Attacks on 71 Countries Arrested

Hackers launched ransomware attacks to extort money from the following two entities by encrypting...

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles