Hackers Using Process Hollowing to Hide Crypto Jacking from Detection

In an attempt to hide the on victims’ computers, hackers evolved the attacking tactics and are using process hollowing technique, per a ZDNet report.
This was revealed by three researchers from cybersecurity company Trend Micro – Arianne Dela Cruz, Jay Nebre, and Augusto Remillano – on Wednesday.

Hackers ran an organized campaign with the malware, using an interesting dropper component containing a malicious secret, over November across countries including Kuwait, Thailand, India, Bangladesh, the United Arab Emirates, Brazil, and Pakistan.
A secure way to mine crypto
The report detailed that this attacking technique is sophisticated as the file injected into the victim’s computer acts as both, a malware dropper and a container, and is not malicious itself. The file contains main executable and crypto mining codes, but render them as inactive.
To trigger the malicious behavior, the dropper needs a specific set of command-line codes which act as a trigger. After the execution, the file acts as a normal file and leaves no trace of any malicious file. This technique is popularly known as process hollowing.
Moreover, to avoid malware scans, the malicious code is hidden in a directory without any extension.
To avoid any sudden trigger, the malware mines digital currency, mostly Monero, in a controlled way.
“While the number of new routines for malicious cryptocurrency , overall detections for coin mining activities have decreased this year,” the cybersecurity company explained. “We suspect that the cybercriminals behind this particular campaign may have been taking advantage of the decreased number of competitors, especially as the year comes to a close.”
To hide from detection, attackers are using several techniques to profitably mine Monero on others computers. Late last month, Finance Magnates reported that infamous botnet has added crypto mining capabilities and is using YouTube to hide its malpractices.

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *