After a long time, the cryptocurrency mining script known as Coinhive has finally ceased to be a problem for system administrators and website visitors. However, cryptojacking remains one of the main cybersecurity threats. Specialists in IT security services have discovered a new malware variant that takes advantage of the victims’ hardware to mine virtual assets.
The investigators of the security firm Trend Micro detected a malware capable of exploiting multiple web servers and performing brute force attacks to install XMRig, software to mine the cryptocurrency Monero. The malware, known as BlackSquid, was identified last May, mainly attacking servers in the United States and in Asian countries such as Thailand.
“We call this malware BlackSquid because we discovered that it employs eight known vulnerabilities, including EternalBlue, DoublePulsar, three server security failures and three web application vulnerabilities”, the IT security services mentioned.
The most dangerous feature of BlackSquid is that it employs multiple tactics to remain hidden, such as anti-virtualization, anti-debugging, and anti-sandbox, all before completing its installation; in other words, malware will only be installed if it can confirm that it has bypassed detection.
If not enough, experts say that once the malware infects a system, it will try to spread to other systems on the network to make the infection bigger and, therefore, the gains for the cryptojackers will increase.
Experts in IT security services mention that BlackSquid arrives to compromised systems through infected pages, compromised servers or removable drives, such as infected USBs. If it manages to bypass detection, BlackSquid installs a version of the XMRig mining script; the malware then scans the infected system looking for a video card. Graphical processing units are one of the most targeted hardware pieces to mining malware, so if one is detected, a second component of XMRig is executed to abuse all hardware resources on the system.
Due to the behavior shown so far, specialists from the International Institute of Cyber Security (IICS) believe that malware is still in the test stage, as the code can still be modified to expand the capabilities of BlackSquid.