After a long time, the cryptocurrency mining script known as Coinhive has finally ceased to be a problem for system administrators and website visitors. However, cryptojacking remains one of the main cybersecurity threats. Specialists in IT security services have discovered a new malware variant that takes advantage of the victims’ hardware to mine virtual assets.
The investigators of the security firm Trend
Micro detected a malware capable of exploiting multiple web servers and
performing brute force attacks to install XMRig, software to mine the
cryptocurrency Monero. The malware, known as BlackSquid, was identified last
May, mainly attacking servers in the United States and in Asian countries such
as Thailand.
“We call this malware BlackSquid because
we discovered that it employs eight known vulnerabilities, including
EternalBlue, DoublePulsar,
three server security failures and three web application vulnerabilities”,
the IT security services mentioned.
The most dangerous feature of BlackSquid is
that it employs multiple tactics to remain hidden, such as anti-virtualization,
anti-debugging, and anti-sandbox, all before completing its installation; in
other words, malware will only be installed if it can confirm that it has bypassed
detection.
If not enough, experts say that once the
malware infects a system, it will try to spread to other systems on the network
to make the infection bigger and, therefore, the gains for the cryptojackers will
increase.
Experts in IT security services mention that
BlackSquid arrives to compromised systems through infected pages, compromised
servers or removable drives, such as infected USBs. If it manages to bypass
detection, BlackSquid installs a version of the XMRig mining script; the
malware then scans the infected system looking for a video card. Graphical
processing units are one of the most targeted hardware pieces to mining
malware, so if one is detected, a second component of XMRig is executed to
abuse all hardware resources on the system.
Due to the behavior shown so far, specialists
from the International Institute of Cyber Security (IICS) believe that malware
is still in the test stage, as the code can still be modified to expand the
capabilities of BlackSquid.
