Researchers at Trend Micro have observed a new technique called Process Hollowing that is used for Monero Mining. It has been implemented by hackers since early November and geo-targeted towards users mainly in Kuwait, Thailand, India, Bangladesh, the United Arab Emirates, Brazil and Pakistan.
Along with Process Hollowing, this technique also drops another file that acts as a container. This dropper file, on its own is of no use and its malicious nature remains hidden unless a specific set of command line arguments are used to trigger it. Researchers say, “The dropper is a 64-bit binary containing a packed malicious code, and we found the executable checking the arguments passed to it and verifying it upon unpacking.”
They further found that the infection routine is divided in two stages. The first stage of infection involves an arithmetic operation on alphanumeric strings. “This is used to decrypt the information from the arguments including the cryptocurrency wallet address of the cybercriminals specified as part of the required arguments sent to trigger the malicious file and enable the coinmining activity.”
In the second stage, once the correct arguments are executed, the dropper then executes a child process called wakecobs.exe. The dropper further injects the malicious code into the miner which runs undetected in the background.
Researchers have coined this technique as highly dangerous as “the dropper evades manual scanning and detection by injecting the malicious code in a dropped file, and hiding itself in a different directory without an extension.” This malicious process hollowing cryptomining technique also goes undetected from whitebox, sandbox, and blackbox analysis, thus making it more difficult for IT security teams to find these dropper files.
Earlier, Trend Micro had also reported a sudden rise in a fileless attack technique better known as a zero-footprint attack or non-malware attack. This method of attack does not install any malicious software on a user’s computer, instead it exploits applications that are already installed in the device.
Trend Micro stated that cybercriminals are using increasingly sophisticated attack formats that aren’t visible to traditional security procedures and thus requires constant manual and proactive monitoring on the part of the IT security team of respective organization.