Has your organization found evidence of a cryptocurrency mining app on its computer systems? It may not be from just a criminal.
An unnamed country has been running cyberespionage attacks since the summer that included deploying Monero software coin miners, according to a new report from Microsoft. So far, this tactic has been used against organizations in France and Vietnam but it could be used elsewhere.
Secret coin mining has been used by criminals for several years, but Microsoft says this threat actor is trying to take advantage of the fact that most computer security software sends out low-priority alerts about crypto mining infections. Apparently, the hope is IT staff will pay less attention to these alerts and miss what’s really going on — attempts at deeply infiltrating corporate computer networks to steal data. And the attackers don’t mind if they make money by mining digital currency as well.
The attacker, which Microsoft dubs Bismuth, has been infiltrating organizations since 2012. The coin mining tactic is new. But, the report warns, infosec pros shouldn’t be fooled by discovering what they think is an ordinary infection. “If we learned anything from ‘commodity’ banking trojans that bring in human-operated ransomware, we know that common malware infections can be indicators of more sophisticated cyberattacks and should be treated with urgency and investigated and resolved comprehensively,” says the report.
Bismuth gets into victim organizations by sending emails to targeted employees with infected attachments. Each email was sent to only one recipient at each target organization and used tailored subject lines and lure themes. The gange is patient, sometimes emailing back and forth with a victim to establish familiarity before sending a malicious attachment.
When opened, the malicious .doc file dropped several files in the hidden ProgramData folder including MpSvc.dll, a malicious DLL with the same name as a legitimate Microsoft Defender Antivirus DLL, and a copy of MsMpEng.exe the legitimate Microsoft Defender Antivirus executable.
The use of DLL side-loading, where a legitimate DLL is replaced with a malicious one so that the latter is loaded when the associated application is run, is a hallmark of this recent campaign. In their recent attacks, copies of legitimate software are used to load the malicious DLL files and perform tasks including outdated versions of Microsoft Defender Antivirus, the Sysinternals DebugView tool, the McAfee on-demand scanner and Microsoft Word 2007.
After deploying coin miners as a distraction technique, the attacker then focused much of its efforts on credential theft.
This particular threat actor puts a strong emphasis on hiding in plain sight by blending in with normal network activity or common threats that attackers anticipate will get low-priority attention, says the report. Multiple layers of protection focused on stopping threats at the earliest possible stage and mitigating the progression of attacks if they manage to slip through are needed.
To limit exposure of this kind of attack Microsft urges infosec pros to:
- Enforce strong, randomized local administrator passwords protected with multifactor authentication.
- Practice the principle of least-privilege and maintain credential hygiene. Avoid the use of domain-wide, admin-level service accounts.
- Educate end-users about protecting personal and business information in social media, filtering unsolicited communication, identifying lures in spear-phishing email, and reporting of reconnaissance attempts and other suspicious activity.
- Turn on attack surface reduction rules, including rules that can block advanced macro activity, executable content, process creation, and process injection initiated by Office applications;
- Disallow macros or allow only macros from trusted locations.
- Check perimeter firewall and proxy to restrict servers from making arbitrary connections to the internet to browse or download files. Such restrictions help inhibit malware downloads and command-and-control activity.