Carbon Black (NASDAQ: CBLK), a cloud-native endpoint protection leader, recently released a threat report describing how attacks with cryptocurrency mining malware that steals information from access to systems, for a possible sale on the dark web.
Dubbed “Access mining” by Carbon Black researchers, this particular attack can affect more than 500,000 computers worldwide. The methods used could pave the way for more dangerous and more far-reaching attacks, as threats considered to be of lower priority can open the door to more advanced and targeted attacks, which can be sold to the highest bidder.
The discovery was made after the CB ThreatSight™ alerted Carbon Black to the unusual behavior seen in a handful of endpoints. The subsequent investigation revealed sophisticated multi-stage malware that sent detailed system metadata to a network of hijacked web servers. It is presumed that the purpose is to resell them in one (or many) remote access markets, via the dark web.
Carbon Black researchers Greg Fossy and Marina Liang presented their research in a report called “Access Mining: How a Prominent Cryptomining Botnet Is Paving the Way for a Lucrative and Illicit Revenue Model.”
In the report, both researchers raise the following:
Access Mining is a tactic in which an attacker takes advantage of the footprint and distribution of malware of commodities, in this case, a cryptocurrency miner, and uses it to mask a hidden agenda of selling access to the system, to specific machines on the web Dark. This discovery indicates that there is a greater tendency to develop malware that evolves to mask a darker purpose. This will likely catalyze a change in the way cybersecurity professionals classify, investigate, and protect themselves from threats.
Key findings of the report include at least 500,000 machines affected. They add that 60% of the victims come from the Asia Pacific region, and the rest from Russia and Eastern Europe. They also point out that attackers are increasingly using reused tools, modified exploits, and stolen infrastructure.
In previous campaigns, a modified version of the XMRig protocol was used to perform Monero mining. In addition to the modified XMRig, research showed that the group now uses open source tools and easily available malware, such as Mimikatz and EternalBlue, that have been modified to pivot from infected systems and expand the reach of its Campaign.
The research also highlights an unexpected link between The Smominru cryptocurrency mining malware and the MyKings computer robot network, which are described in the full report. Modified versions of Cacls, XMRig, and EternalBlue were also used. Researchers found that by getting most of the code through sites like GitHub, innovation accelerated to gain access.
Basic malware combination with access for sale
The business model for Access Mining generally combines a profit stream from cryptocurrency mining with a profit stream from the sale of access to the system. Both can be very lucrative. According to some estimates of the latest discoveries, the gains can be up to $1.6 million per year, if made at scale.
“This discovery demonstrates how virtually any company could be leveraged in a targeted attack, even if that company lacks a global brand, known intellectual property assets, or a Fortune 1000 list,” the researchers said. “Access Mining represents a scalable and cost-effective approach for an adversary to find valuable goals,” they conclude.