{"id":19883,"date":"2022-08-18T09:00:53","date_gmt":"2022-08-18T17:00:53","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/08\/18\/news-13616\/"},"modified":"2022-08-18T09:00:53","modified_gmt":"2022-08-18T17:00:53","slug":"news-13616","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/08\/18\/news-13616\/","title":{"rendered":"Hardware-based threat defense against increasingly complex cryptojackers"},"content":{"rendered":"<p><strong>Credit to Author: Microsoft 365 Defender Threat Intelligence Team| Date: Thu, 18 Aug 2022 17:00:00 +0000<\/strong><\/p>\n<p>Even with the dip in the value of cryptocurrencies in the past few months, cryptojackers \u2013 trojanized coin miners that attackers distribute to use compromised devices\u2019 computing power for their objectives \u2013 continue to be widespread. In the past several months, Microsoft Defender Antivirus detected cryptojackers on hundreds of thousands of devices every month. These threats also continue to evolve: recent cryptojackers have become stealthier, leveraging living-off-the-land binaries (LOLBins) to evade detection.<\/p>\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/08\/Fig1-devices-cryptojackers.png\" alt=\"Column chart representing number of devices where Microsoft Defender Antivirus detected cryptojackers seen monthly from January to July 2022.\" class=\"wp-image-120128\" width=\"650\" height=\"367\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/08\/Fig1-devices-cryptojackers.png 1818w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/08\/Fig1-devices-cryptojackers-300x169.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/08\/Fig1-devices-cryptojackers-1024x578.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/08\/Fig1-devices-cryptojackers-768x433.png 768w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/08\/Fig1-devices-cryptojackers-1536x867.png 1536w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/08\/Fig1-devices-cryptojackers-1083x609.png 1083w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/08\/Fig1-devices-cryptojackers-539x303.png 539w\" sizes=\"auto, (max-width: 650px) 100vw, 650px\" \/><figcaption><em>Figure 1. Chart showing number of devices on which Microsoft Defender Antivirus detected cryptojackers from January to July 2022.<\/em><\/figcaption><\/figure>\n<p>To provide advanced protection against these increasingly complex and evasive threats, Microsoft Defender Antivirus uses various sensors and detection technologies, including its <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2021\/04\/26\/defending-against-cryptojacking-with-microsoft-defender-for-endpoint-and-intel-tdt\/\">integration with Intel\u00ae Threat Detection Technology (TDT)<\/a>, which applies machine learning to low-level CPU telemetry to detect threats even when the malware is obfuscated and can evade security tools.<\/p>\n<p>Using this silicon-based threat detection, Defender analyzes signals from the CPU performance monitoring unit (PMU) to detect malware code execution \u201cfingerprint\u201d at run time and gain unique insights into malware at their final execution point, the CPU. The combined actions of monitoring at the hardware level, analyzing patterns of CPU usage, and using threat intelligence and machine learning at the software level enable the technology to defend against cryptojacking effectively.<\/p>\n<p>In this blog post, we share details from our monitoring and observation of cryptojackers and how the integration of Intel TDT and Microsoft Defender Antivirus detects and blocks this complex threat.<\/p>\n<h2>Looking at the current cryptojacker landscape<\/h2>\n<p>There are many ways to force a device to mine cryptocurrency without a user\u2019s knowledge or consent. The three most common approaches used by cryptojackers are the following:<\/p>\n<ul>\n<li><strong>Executable: <\/strong>These are typically potentially unwanted applications (PUAs) or malicious executable files placed on the devices and designed to use system resources to mine cryptocurrencies.<strong><\/strong><\/li>\n<li><strong>Browser-based: <\/strong>These miners are typically in the form of JavaScript (or similar technology) and perform their function in a web browser, consuming resources for as long as the browser remains open on the website where they are hosted. These miners are commonly injected into legitimate websites without the owner&#8217;s knowledge or consent. In other cases, the miners are intentionally included in attacker-owned or less reputable websites that users might visit.<strong><\/strong><\/li>\n<li><strong>Fileless<\/strong>: These cryptojackers perform mining in a device&#8217;s memory and achieve persistence by misusing legitimate tools and LOLBins.<strong><\/strong><\/li>\n<\/ul>\n<p>The executable and browser-based approaches involve malicious code that\u2019s present in either the filesystem or website that can be relatively easily detected and blocked. The fileless approach, on the other hand, misuses local system binaries or preinstalled tools to mine using the device\u2019s memory. This approach allows attackers to achieve their goals without relying on specific code or files. Moreover, the fileless approach enables cryptojackers to be delivered silently and evade detection. These make the fileless approach more attractive to attackers.<\/p>\n<p>While newer cryptojackers use the fileless approach, its engagement of the hardware, which it relies on for its mining algorithm, becomes one of the ways to detect cryptojacking activities.<\/p>\n<h2>Misuse of LOLBins in recent cryptojacking campaigns<\/h2>\n<p>Through its various sensors and advanced detection methodologies, including its integration with Intel TDT, Microsoft Defender Antivirus sees cryptojackers that take advantage of legitimate system binaries on more than 200,000 devices daily.<\/p>\n<figure class=\"wp-block-image size-large is-resized\"><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/08\/Fig2-devices-cryptojackers-misuse-lolbin-1024x578.png\" alt=\"Column chart showing total number of devices where cryptojackers misusing legitimate system binaries were detected based on daily observation from July 25 to July 31, 2022.\" class=\"wp-image-120131\" width=\"650\" height=\"367\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/08\/Fig2-devices-cryptojackers-misuse-lolbin-1024x578.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/08\/Fig2-devices-cryptojackers-misuse-lolbin-300x169.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/08\/Fig2-devices-cryptojackers-misuse-lolbin-768x433.png 768w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/08\/Fig2-devices-cryptojackers-misuse-lolbin-1536x867.png 1536w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/08\/Fig2-devices-cryptojackers-misuse-lolbin-1083x609.png 1083w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/08\/Fig2-devices-cryptojackers-misuse-lolbin-539x303.png 539w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/08\/Fig2-devices-cryptojackers-misuse-lolbin.png 1818w\" sizes=\"auto, (max-width: 650px) 100vw, 650px\" \/><figcaption><em>Figure 2. Chart showing the number of devices targeted by cryptojackers that misuse legitimate system binaries observed July 25-31, 2022.<\/em><\/figcaption><\/figure>\n<p>Attackers heavily favor the misuse of <em>notepad.exe<\/em> among several legitimate system tools in observed campaigns<em>.<\/em><\/p>\n<figure class=\"wp-block-image size-large is-resized\"><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/08\/Fig3-lolbins-cryptojackers-abuse-1024x671.png\" alt=\"Donut pie chart showing percentage of legitimate system binaries commonly abused by cryptojackers based on the observation period of July 25-31, 2022.\" class=\"wp-image-120134\" width=\"650\" height=\"426\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/08\/Fig3-lolbins-cryptojackers-abuse-1024x671.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/08\/Fig3-lolbins-cryptojackers-abuse-300x197.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/08\/Fig3-lolbins-cryptojackers-abuse-768x503.png 768w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/08\/Fig3-lolbins-cryptojackers-abuse-1536x1006.png 1536w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/08\/Fig3-lolbins-cryptojackers-abuse-200x130.png 200w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/08\/Fig3-lolbins-cryptojackers-abuse.png 1818w\" sizes=\"auto, (max-width: 650px) 100vw, 650px\" \/><figcaption><em>Figure 3. The chart shows that notepad.exe is the most abused tool based on the cryptojacking attacks observed from July 25-31, 2022.<\/em><\/figcaption><\/figure>\n<p>We analyzed an interesting cryptojacking campaign abusing <em>notepad.exe <\/em>and several other binaries to carry out its routines. This campaign used an updated version of the cryptojacker known as <a href=\"https:\/\/decoded.avast.io\/janrubin\/complex-obfuscation-meh\/\" target=\"_blank\" rel=\"noreferrer noopener\">Mehcrypt<\/a>. This new version packs all of its routines into one script and connects to a command-and-control (C2) server in the latter part of its attack chain, a significant update from the old version, which ran a script to access its C2 and download additional components that then perform malicious actions.<\/p>\n<p>The threat arrives as an archive file containing <em>autoit.exe <\/em>and a heavily obfuscated, randomly named .au3 script. Opening the archive file launches <em>autoit<\/em><em>.exe, <\/em>whichdecodes the .au3 script in memory. Once running, the script further decodes several layers of obfuscation and loads additional decoded scripts in memory.<\/p>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"637\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/08\/Fig4-crypojacker-attack-chain-1024x637.png\" alt=\"Attack flow of Mehcrypt abusing legitimate system binaries to carry out its malicious routines.\" class=\"wp-image-120137\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/08\/Fig4-crypojacker-attack-chain-1024x637.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/08\/Fig4-crypojacker-attack-chain-300x187.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/08\/Fig4-crypojacker-attack-chain-768x478.png 768w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/08\/Fig4-crypojacker-attack-chain-1536x956.png 1536w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/08\/Fig4-crypojacker-attack-chain.png 1667w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption><em>Figure 4. Infection chain of a new variant of Mehcrypt leveraging several binaries to launch its malicious routines.<\/em><\/figcaption><\/figure>\n<p>The script then copies itself and <em>autoit<\/em><em>.exe<\/em> in a randomly named folder in <em>C:ProgramData<\/em>. The script creates a scheduled task to delete the original files and adds autostart registry entries to run the script every time the device starts.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"800\" height=\"125\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/08\/Fig5-autostart-entries.png\" alt=\"Screenshot of a cryptojacker's created registry entry for persistence.\" class=\"wp-image-120140\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/08\/Fig5-autostart-entries.png 800w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/08\/Fig5-autostart-entries-300x47.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/08\/Fig5-autostart-entries-768x120.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption><em>Figure 5. The malware creates an autostart registry entry to maintain persistence.<\/em><\/figcaption><\/figure>\n<p>After adding persistence mechanisms, the script then loads malicious code into <em>VBC.exe<\/em> via <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2017\/07\/12\/detecting-stealthier-cross-process-injection-techniques-with-windows-defender-atp-process-hollowing-and-atom-bombing\/\">process hollowing<\/a> and connects to a C2 server to listen for commands. Based on the C2 response, the script loads its cryptojacking code into <em>notepad.exe<\/em>, likewise via process hollowing.<\/p>\n<p>At this point, as the threat starts its cryptojacking operation via malicious code injected into <em>notepad.exe<\/em>, a huge jump in CPU usage can be observed:<\/p>\n<figure class=\"wp-block-image size-full is-resized\"><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/08\/Fig6-CPU-usage.png\" alt=\"Screenshot of CPU utilization showing a spike when the malware began its malicious routines.\" class=\"wp-image-120143\" width=\"415\" height=\"298\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/08\/Fig6-CPU-usage.png 829w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/08\/Fig6-CPU-usage-300x215.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/08\/Fig6-CPU-usage-768x551.png 768w\" sizes=\"auto, (max-width: 415px) 100vw, 415px\" \/><figcaption><em>Figure 6. CPU usage shows a significant spike and continued maximum utilization as malicious activities are carried out. &nbsp;<\/em><\/figcaption><\/figure>\n<p>This high CPU usage anomaly is analyzed in real-time by both Intel TDT and Microsoft Defender Antivirus. Based on Intel TDT\u2019s machine learning-based correlation of CPU telemetry and other suspicious activities like process injection into system binaries, Microsoft Defender Antivirus blocks the process execution (<a href=\"https:\/\/www.microsoft.com\/en-us\/wdsi\/threats\/malware-encyclopedia-description?Name=Behavior:Win32\/CoinMiner.CN!tdt&amp;ThreatID=2147815089\">Behavior:Win32\/CoinMiner.CN!tdt<\/a>), and Microsoft Defender for Endpoint raises an alert. &nbsp;<\/p>\n<h2>Advanced threat detection technology helps stop cryptojacking activities<\/h2>\n<p>To detect evasive cryptojackers, <a href=\"https:\/\/docs.microsoft.com\/microsoft-365\/security\/defender-endpoint\/microsoft-defender-antivirus-windows\">Microsoft Defender Antivirus<\/a> and <a href=\"https:\/\/www.intel.com\/content\/www\/us\/en\/architecture-and-technology\/threat-detection-technology-brief.html\" target=\"_blank\" rel=\"noreferrer noopener\">Intel TDT<\/a> <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2021\/04\/26\/defending-against-cryptojacking-with-microsoft-defender-for-endpoint-and-intel-tdt\/\" target=\"_blank\" rel=\"noreferrer noopener\">work together<\/a> to monitor and correlate hardware and software threat data. Intel TDT leverages signals from the CPU, analyzing these signals to detect patterns modeled after cryptojacking activity using machine learning. Microsoft Defender Antivirus then uses these signals and applies its threat intelligence and machine learning techniques to identify and block the action at the software level. \u00a0<\/p>\n<p>Intel TDT has added several performance improvements and optimizations, such as offloading the machine learning inference to Intel\u2019s integrated graphics processing unit (GPU) to enable continuous monitoring. This capability is available on Intel Core<img decoding=\"async\" src=\"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/72x72\/2122.png\" alt=\"\u2122\" class=\"wp-smiley\" style=\"height: 1em; max-height: 1em;\" \/> processors and Intel vPro\u00ae branded platforms from the 6<sup>th<\/sup> generation onwards. By design, Microsoft Defender Antivirus leverages these offloading capabilities where applicable.<\/p>\n<p>In addition to industry partnerships, Microsoft\u2019s consistent monitoring of the threat landscape powers the threat intelligence that feeds into products like Microsoft Defender Antivirus and Microsoft Defender for Endpoint, where knowledge is translated to customer protection in real-time.<\/p>\n<\/p>\n<p><em><strong>Suriyaraj Natarajan, Andrea Lelli, Amitrajit Banerjee<\/strong><br \/>Microsoft 365 Defender Research Team<\/em><\/p>\n<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/08\/18\/hardware-based-threat-defense-against-increasingly-complex-cryptojackers\/\">Hardware-based threat defense against increasingly complex cryptojackers<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/08\/18\/hardware-based-threat-defense-against-increasingly-complex-cryptojackers\/\" target=\"bwo\" >https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Microsoft 365 Defender Threat Intelligence Team| Date: Thu, 18 Aug 2022 17:00:00 +0000<\/strong><\/p>\n<p>To provide advanced protection against increasingly complex and evasive cryptojackers, Microsoft Defender Antivirus integrates with Intel\u00ae Threat Detection Technology (TDT) that applies machine learning to low-level CPU telemetry in detecting cryptojackers, even when the malware is obfuscated and can evade security tools.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/08\/18\/hardware-based-threat-defense-against-increasingly-complex-cryptojackers\/\">Hardware-based threat defense against increasingly complex cryptojackers<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[17204,26173,16415,4500,27311,22453],"class_list":["post-19883","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security","tag-coin-miners","tag-cryptojacker","tag-cryptojacking","tag-cybersecurity","tag-hardware-based-threat-defense","tag-microsoft-security-intelligence"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19883","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=19883"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19883\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=19883"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=19883"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=19883"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}