A cryptomining infection managed to spread to half of all workstations at a major international airport in Europe – shining a spotlight on security for operational tech and IT convergence.
Researchers at Cyberbit found the XMRig Monero mining malware, which was a known strain called “Playerz,” but which skated by antivirus solutions on the endpoints by adding a new tweak.
The malware “was modified just enough to evade the vast majority of existing signatures for it” according to Meir Brown, head of research at Cyberbit, adding that it was detected by only 16 out of 73 detection products on VirusTotal.
“The modification was really simple: the MD5 was modified, however, the attacker kept the use of the original tools and even the original file names…which is an indication of simple modification, nevertheless this was sufficient to evade most AV products,” he told Threatpost.
The malicious mining activity also raised no red flags with airport personnel, according to an analysis posted this week by the firm.
“Its business impact was relatively minor, limited to performance degradations leading to quality of service and service interruptions, as well as a significant increase in power consumption throughout the airport,” the analysis noted. “The malware may have been used for months.”
This is the advantage of cryptomining for financially motivated threat actors, according to Brown: Persistence.
“We see growing usage of cryptominers in recent attacks and we see a trend to switch from ransomware to mining,” he told Threatpost. “Since ransomware attacks are more visible by nature they tend to ‘burn down’ faster. In this specific attack the malware was active for months without any indication.”
Cyberbit was tipped off to the presence of the malware while installing a security solution at the location. It observed the PAExec tool being used, which is a legitimate service used for running Windows programs on remote systems without having to physically install software on those systems. The suspicious part was that it was used several times in a short period to launch an application named player.exe.
Further, once up and running, player.exe was seen using reflective DLL loading, which the firm said is a technique for remotely injecting a DLL library into a process without using the Windows loader, thus avoiding having to access the hard drive. In short, it was clear that a remote user was attempting to stealthily access the network – multiple times.
Further digging uncovered that PAExec was being used to escalate privileges and execute the coinminer in system mode, so the miner would take priority over any other application for the use of workstation resources. Then, the reflective DLL technique was employed to load additional DLLs from memory for the cryptocurrency miner, meaning that “the file is not fetched from the hard drive and would not go through file-based detection systems like AV and most NGAV systems,” according to Cyberbit
While in this case the attackers were looking to mine Monero cryptocurrency, the fact they were able to infiltrate the network remotely and spread laterally to 50 percent of all workstations – while remaining hidden – is alarming, Brown said – especially given the unique security issues and threat surfaces present at airports.
“With the increased convergence of IT and OT networks, we strongly urge airports to also ramp up the protection of their OT network, which is used to control physical airport systems,” the firm concluded.
source: Threatpost
Sign up our newsletter for update information, insight and promotion.
