Cybersecurity has evolved over the years with new strategies and tools to bring individuals and institutions down. Earlier this week, cybersecurity firm Trend Micro published a report revealing how hackers have been able to use these droppers on their victims, as cases of their applications have started to increase. As the report notes, hackers use these malware droppers to conceal malicious code, and have them disseminated to victim computers, intending to use their combined computing power to mine cryptocurrencies.
— GarWarner (@GarWarner) December 10, 2019
Hiding in Plain Sight
As the company explained, the beauty of this malware is that the code concealed in the dropper isn’t malicious in itself. Instead, hackers will need to ensure that it has been perfectly placed, then initiate it with a series of commands. The code uses a process known as “hollowing” to stay concealed and dormant on the victim’s computer, and the hackers will be able to initiate it when they please.
The report added, “As the dropped file is only made of skeletal code with no behavior on its own, the file can stay undetected in the system and possibly evade even manual detection when dormant. The attackers can choose to activate the malware at specific times.”
The malware droppers have been predominantly used across Asian and South American countries, with Trend Micro noting prominent use in countries such as Brazil, India, Bangladesh, and Kuwait. Criminals favor droppers to mine Monero, a privacy-focused asset that can then be moved and laundered without any detection.
Malware Use is Changing
The use of cryptocurrency malware has exploded this year once more, as attackers have noted the increase in crypto prices and have been more than willing to devise means to profit off the computing power of others.
— Security Response (@threatintel) October 29, 2019
However, what has been particularly impressive has been the way that malware has evolved this year to avoid possible detection. Earlier this year, researchers from IT security firm Varonis released a report detailing how they came about Norman; a cryptojacking tool that can seamlessly adapt to its environment
As the report showed, Norman works in the same way as every cryptojacking tool- it gets installed through any of several means, and uses the computer’s processing power to mine cryptocurrency. However, its standout feature is its ability to shut down itself as soon as it detects that the Task Manager software on the victim computer has been turned on. Once the Task Manager is closed, Norman wakes up again and is hard at work making some hacker rich.
Just like the malware dropper, Norman helps to mine Monero as well. As Varonis noted, the tool is based on XMRig; a high-performance mining software for Monero. It was also found to be based on popular programming language PHP, while Zend Guard (a PHP encoding product) helps to keep it hidden from the victim computer’s Task Manager.
Varonis pointed out that the underlying code to the tool contains a lot of French variables, leading them to believe that French hackers might be responsible.