In a new twist on malware types, cybercriminals are beginning to retrofit ransomware that has been around for a few years with new capabilities to illegally mine or steal cryptocurrencies like Bitcoin and Monero.
Cybersecurity firms Fortinet and Kaspersky Lab recently have seen instances in which iterations of ransomware are being armed with the ability to steal Bitcoin or compute power to mine cryptocurrencies.
Kaspersky researchers have detailed an update to the 5-year-old Trojan-Ransom.Win32.Rakhni malware family. Once installed on a victim’s system, the malware goes through a checklist before deciding whether to install its typical ransomware or deploy a cryptominer that will enable it to siphon computer power from the system.
“The decision to download the cryptor or the miner depends on the presence of the folder %AppData%\Bitcoin,” Kaspersky researchers Egor Vasilenko and Orkhan Mamedov wrote in a blog post. “If the folder exists, the downloader decides to download the cryptor. If the folder doesn’t exist and the machine has more than two logical processors, the miner will be downloaded. If there’s no folder and just one logical processor, the downloader jumps to its worm component.”
Similarly, Fortinet analysts discovered malware that is based on the Jigsaw ransomware first found in April 2013. The new ransomware strain now also enables attackers to steal Bitcoin by changing the addresses of victims’ wallets to some of 10,000 existing Bitcoin addresses it has on file and then having the payments sent to accounts held by the bad actor.
There have been other instances where methods used in ransomware were repurposed for cryptocurrency mining. That includes malware that used the BlueEternal exploit that was foundational to last year’s WannaCry ransomware attack in a cryptojacking campaign dubbed WannaMine.
The authors behind the malware are looking to take advantage of the money that can be reaped through stealing and mining cryptocurrencies. Last year, due in large part of WannaCry and other malware that followed its lead, ransomware was the most popular attack in use. However, that started to change late last year, and now a range of cybersecurity vendors--including Check Point Software, Malwarebytes and McAfee--have seen the number of cryptomining attacks skyrocket in the first half of 2018.
It’s not surprising. While ransomware is still growing in sophistication, it’s a noisy attack method that requires the attackers to announce their presence and relies on others to act--in this case, make a payment. Cryptomining can run under the radar more easily, stealing enough CPU cycles to perform the compute-intensive task of mining cryptocurrencies but often not enough to alert victims that the malware is running on their system.
Now attackers are repurposing older ransomware to get cryptoming malware into systems, which makes sense, according to Eric Ogren, security analyst with 451 Research. The delivery methods are the same--often by enticing users to open a malicious file or click on a link to a bad site--and then the malware is deployed.
“Basically, once it gets int there, it looks around and says, ‘What else can I do here?’” Ogren told ITPro Today.
Given that, it’s not surprising that malware writers will reuse malicious code that’s already out there, Anthony Giandomenico, senior security strategist and researcher with Fortinet, told ITPro Today in an email, adding that he expects to continue to see the combining of threats, especially as it relates to cryptojacking.
“As the cybercrime ecosystem matures, there is a lot of malicious software out there, and many times that software is leaked to others or to the public,” Giandomenico said. “When it’s leaked, it is usually picked up by other bad actors and either reused as is or modified or enhanced. Why reinvent the wheel when you have the wheel and you can just focus on enhancing it? It’s all about efficiency. It’s all about the mighty dollar. They say that necessity is the mother of invention, but in the cyber dark world it’s money that drives invention.”
He pointed to the Mirai botnet as an example. The source code was leaked in 2016 and since then variants have arisen with new features, such as the OMB Botnet, which was discovered this year and uses a new function that turns Internet of Things (IoT) devices into proxy servers.
In the case of the crypojacking malware that was based on the Jigsaw ransomware, Fortinet researchers said that although the malware was based on the ransomware, the behavior was different. Rather than encrypt a victim’s data, “it will replace the bitcoin address to the address of an attacker, thereby sending money to another wallet. One would think that when copying a person would clearly see the replacement of the addresses. However, this malware has an interesting feature--it cleverly replaces the legit address with a forged one having similar (or the same) symbols at the beginning and the end of the string,” researchers Evgeny Ananin and Artem Semenchenko wrote in a blog post.
Fortinet’s Giandomenico said code reuse is not unusual and is used by legitimate developers. For malware writers, “speed is key as adversaries work to evade detection,” he said. “In addition to reusing code, adversaries will also look at their successful predecessors for gleaning techniques for malware propagation. Last year WannaCry used the EternalBlue vulnerability to propagate from system to system, which proved to be very successful. Now other malware [uses] that very same technique to propagate and move laterally within the networks. CryptoJacking malware now uses that technique as well. Sometimes looking in the past will allow you to excel into the future.”