How could a cryptominer attack affect organizations?<\/strong><\/p>\n Cryptojacking attacks not only puts the security of corporate and personal information at risk but also significantly impacts the performance and lifespan of affected IT assets. Threat groups operating crypto-mining malware often exploit vulnerabilities in technology commonly used by all organizations, aiming to distribute cryptominers and integrate victim devices into Botnet networks such as Mirai<\/em> or Tsunami<\/em>. This can cause severe consequences on an organization’s infrastructure. Mirai<\/em>, known for its DDoS attacks, can cause massive disruptions to services and systems. Additionally, this attack can be an initial access vector for more dangerous attacks such as ransomware, damaging reputation and causing financial losses to organizations.<\/p>\n Although carrying out\u00a0cryptomining\u00a0activities is not inherently malicious, threat actors use malicious techniques to mine cryptocurrencies on other people’s devices and exploit their resources illicitly with a financial motivation. This activity is known as cryptojacking and converts to cryptoMiners in a threat.<\/p>\n Currently, there are three types of cryptojacking:<\/p>\n In-browser cryptojacking<\/strong><\/p>\n This technique has\u00a0been used\u00a0since\u00a02011\u00a0when the\u00a0cryptomining\u00a0trend\u00a0began,\u00a0and Bitcoin became popular; it resurged in 2017 with the appearance of CoinHive<\/em><\/a>, one of that year’s most maliciously used legal crypto mining services.<\/p>\n This type of attack does not require user permissions and usually maintains persistence by hiding the browser windows that perform the mining.<\/p>\n The exploitation of the stolen resources, in this case, is carried out through a cryptomining script, generally written in JavaScript, which may be embedded in a site or web application, in malicious ads, on websites that allow the execution of third-party services for tracking tools<\/a> or analytics services<\/a>, in web extensions that can perform mining and through Man-in-the-Middle activities since, once the victim’s web traffic has been captured, it is possible to inject the cryptomining script within non-HTTPS traffic.<\/p>\n Although it is currently not one of the most common techniques for performing cryptojacking, it is still used to a lesser extent.<\/a><\/p>\n <\/p>\n In-host cryptojacking<\/strong><\/p>\n In this technique, threat actors use cryptominers to access the host’s resources, turning the infected device into a computer dedicated to mining cryptocurrencies without the victim’s knowledge.<\/p>\n Unlike the previous technique, a cryptominer must be installed on the host system. Hence, its delivery and installation method is through social engineering, vulnerability exploitation, or Drive-by-Download.<\/p>\n The first to act during a cryptojacking in-host infection is an external tool or intermediary malware, such as a script, a dropper, a worm, or a trojan that upon entering the system, is in charge and initiates the attack flow and whose tasks may include:<\/p>\n Once the\u00a0cryptominer\u00a0is up and running, it initiates a connection to the threat actor’s mining pool using a web socket or an API. Through this pool, the cryptominer receives the operations needed to calculate a hash, and send its results back, which is why the cryptominer must be in constant communication with it. This feature can be handy in identifying if a device is compromised.<\/p>\n In-memory cryptojacking<\/strong><\/p>\n This type of cryptojacking typically employs the same initial infection vector as In-host cryptojacking and delivers the payload through the same means. However, unlike In-host cryptojacking, the files are not maintained for the\u00a0cryptominer’s\u00a0execution. Instead, a fileless technique is used to avoid leaving evidence in the system making the cryptominer more challenging to detect and eliminate.<\/p>\n Once the operators successfully breach the victim’s computer, whether through vulnerability exploitation or intermediary malware, they inject the payload into a process that goes unnoticed by the user,\u00a0such as\u00a0a PowerShell process. This meticulous process, often involving the preparation of the equipment for mining, creation of persistence, downloading and execution of the necessary components for lateral movement and mining, and finally, the downloading and injection of the cryptominer into a process, demonstrates their advanced technical skills. The connection with the mining pool is then initiated, and the threat actor is contacted through a C2 channel.<\/p>\n Based on SCILabs telemetry, cryptojacking attacks are carried out by multiple threat actors, even by inexperienced operators or without extensive technical capabilities. However, two threat groups, Red BerryMiner<\/em> and 8220 Gang<\/em>, are of interest because, in addition to installing crypto miners, they deploy other types of malware, such as Botnets and even ransomware, as in the case of 8220 Gang<\/em>.<\/p>\n In this post, we will not provide a detailed investigation of these threat groups, as SCILabs has already published information about them<\/a>, and there are various public investigations<\/a> where additional information can be found. We intend to provide information that raises awareness about the danger these types of threats can represent.<\/p>\n Main countries and sectors affected by cryptojacking attack<\/strong><\/p>\n As cybersecurity professionals, IT administrators, and business leaders in Latin America, you must be aware of the potential impact of cryptojacking attacks on the\u00a0main\u00a0countries and sectors. Our telemetry shows that Mexico, Brazil, Argentina, Ecuador, Venezuela, Colombia, Peru, Bolivia, Chile, Paraguay, and the industrial, services, and telecommunications\u00a0sectors,\u00a0are particularly vulnerable.<\/a><\/p>\n Threat groups related to cryptojacking attacks.<\/strong><\/p>\n As mentioned in this publication, according to SCILabs telemetry we will only provide a general context of the principal threat groups that affect Latin America.<\/p>\n 8220<\/em><\/strong> Gang<\/strong><\/em><\/a><\/p>\n The 8220 Gang<\/em> is a long-standing threat group that exploits vulnerabilities in cloud servers to initiate an infection process in the network of victim organizations. The group then uses the infected devices for cryptocurrency mining activities. This threat group has been operating since 2017: a testament to its persistence and the seriousness of the threat it poses.<\/p>\n This group of threats can maintain command and control communication on the victim’s servers, which allows it to download any artifacts, such as ransomware threats, specifically campaigns related to the GranCrab<\/em><\/a>\u00a0ransomware family have been observed.<\/p>\n Among the principal vulnerabilities that this group of threats uses are the following:<\/p>\nCharacteristics of cryptominer attacks<\/h1>\n
\n
![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/05\/In-Browser_cryptojacking_Flow.jpg\")
\n
![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/05\/In-Host_cryptojacking_Flow.jpg\")
![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/05\/In-Memory_cryptojacking_Flow.jpg\")
Current landscape<\/h1>\n
![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/05\/LATAM_cryptojacking_MAP_eng.jpg\")
![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/05\/Cryptojacking_Attack_Flow.jpg\")
![\"\"](\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2024\/05\/TTPs_cryptojacking_attack_en.jpg\")
<\/p>\n