Crypto-Mining Malware Rising Fast, Hackers Increasingly Targeting Cloud

Check Point’s mid-year cyber-attack report reveals that 42 percent of organizations globally have been hit by crypto-mining intrusions and that sophisticated attacks on cloud infrastructures are growing.

Cryptomining

During the last couple of years, cyber-security has been largely about the huge influx of malware flowing through the veins of the internet. The problem hasn’t gone away by any means, but now in 2018 there’s an even larger threat: crypto-mining-specific malware.

Check Point Software, a global provider of cyber-security solutions, on July 12 released its “Cyber Attack Trends: 2018 Mid-Year Report,” revealing that cyber-criminals are aggressively targeting organizations by using crypto-mining malware to develop illegal revenue streams. At the same time, cloud infrastructures appear to be the growing target among threat actors. 

Crypto-currency mining, or crypto-mining, is a process in which transactions for various forms of crypto-currency are verified and added to a blockchain digital ledger. In order to be competitive with other crypto-miners, though, a crypto-currency miner needs a computer with specialized hardware.

Crypto-mining malware enables cyber-criminals to hijack the victim’s CPU or GPU power and existing resources to mine crypto-currency, using as much as 65 percent of the end-user’s CPU power.  The top three most common malware variants seen in H1 2018 were all crypto-miners.

Instances of crypto-mining malware have doubled in six months

Between January and June 2018, the number of organizations impacted by crypto-mining malware doubled to 42 percent, compared to 20.5 percent in the second half of 2017. This is very alarming.

In a new trend, Check Point detected an increasing number of attacks targeting cloud infrastructures. With organizations moving more of their IT estates and data to cloud environments, criminals are turning to the cloud to exploit its vast computational power and multiply their profits.

The “Cyber Attack Trends: 2018 Mid-Year Report” gives a detailed overview of the cyber-threat landscape in the top malware categories – crypto-miners, ransomware, banking and mobile. These findings are based on data drawn from Check Point’s ThreatCloud intelligence between January and June 2018, highlighting the key tactics cyber-criminals are using to attack businesses.

“The first half of this year saw criminals continue the trend we observed at the end of 2017, and take full advantage of stealthy crypto-mining malware to maximize their revenues,” Maya Horowitz, Threat Intelligence Group Manager at Check Point, said in a media advisory.  “We’ve also seen increasingly sophisticated attacks against cloud infrastructures and multi-platform environments emerging. 

“These multi-vector, fast-moving, large-scale Gen V (fifth-generation) attacks are becoming more and more frequent, and organizations need to adopt a multi-layered cybersecurity strategy that prevents these attacks from taking hold of their networks and data.”

Key malware trends in 2018 First Half

Here are details on the malware trends from Check Point's researchers, detected during the last six months:

  • Crypto-currency miners evolve: In 2018, crypto-miners have been upgraded with vastly improved capabilities, becoming more sophisticated and even destructive. Motivated by a clear interest to increase the percentage of computational resources leveraged and be even more profitable, crypto-miners today target anything that could be perceived as being in their way. Crypto-miners have also highly evolved recently to exploit high profile vulnerabilities and to evade sandboxes and security products in order to expand their infection rates.
  • Hackers move to the cloud:  So far this year, there have been a number of sophisticated techniques and tools exploited against cloud storage services. Several cloud-based attacks, mainly those involving data exfiltration and information disclosure, derived from poor security practices, including credentials left available on public source code repositories or the use of weak passwords. Crypto-miners are also, targeting cloud infrastructures to exploit its computational power and multiply profits for threat actors.
  • Multi-platform attacks on the rise: Up until the end of 2017, multi-platform malware was rare. However, the rise in the number of consumer connected devices and the growing market share of non-Windows operating systems has led to an increase in cross-platform malware. Campaign operators implement various techniques in order to take control over the campaigns’ different infected platforms.
  • Mobile malware spread via the supply chain: In the first half of this year, there has been several incidences where mobile malware that has not been downloaded from a malicious URL, but instead arrived already installed within the device. In addition, there was an increase in applications readily available on app stores that were actually malware under disguise, including Banking Trojans, Adware and sophisticated remote access Trojans (RATs).

Top Crypto-miners during 2018 first half

  1. Coinhive (30 percent): A crypto-miner designed to perform online mining of the Monero crypto-currency without the user's approval when a user visits a web page.  Coinhive only emerged in September 2017 but has hit 12 percent of organizations worldwide hit by it.
  2. Cryptoloot (23 percent): A JavaScript Crypto-miner, designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user's approval.
  3. JSEcoin (17 percent): Web-based Crypto miner designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user's approval.

Top Ransomware During 2018 first half

  1. Locky (40 percent): Ransomware that spreads mainly via spam emails containing a downloader, disguised as a Word or Zip attachment, before installing malware that encrypts the user files.
  2. WannaCry (35 percent): Ransomware that was spread in a large scale attack in May 2017, utilizing a Windows SMB exploit called EternalBlue, in order to propagate within and between networks.
  3. Globeimposter (8 percent): Distributed by spam campaigns, malvertising and exploit kits. Upon encryption, the ransomware appends the .crypt extension to each encrypted file.

Top mobile malware during 2018 first half

  1. Triada (51 percent): A Modular Backdoor for Android which grants superuser privileges to downloaded malware, as it helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.
  2. Lokibot (19 percent): A mobile banking Trojan which targets Android smartphones and turns into a Ransomware, upon an attempt of the victim trying to remove its admin privileges.
  3. Hidad (10 percent): Android malware which repackages legitimate apps and then releases them to a third-party store. It is able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.

Top banking malware during 2017 second half 

  1. Ramnit (29 percent): A banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.
  2. Dorkbot (22 percent): A banking Trojan which steals the victim’s credentials using web-injects, activated as the user tries to login to their banking website.
  3. Zeus (14 percent): A Trojan that targets Windows platforms and often uses them to steal banking information by man-in-the-browser keystroke logging and form grabbing.

Check Point claims that its ThreatCloud intelligence is the largest collaborative network to fight cybercrime and that it delivers threat data and attack trends from a global network of threat sensors.

The ThreatCloud database holds more than 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.

A full PDF copy of the report is available here.

Chris Preimesberger

Chris J. Preimesberger

Chris J. Preimesberger is Editor-in-Chief of eWEEK and responsible for all the publication's coverage. In his 13 years and more than 4,000 articles at eWEEK, he has distinguished himself in reporting...