Since cryptojacking malware came into the scene, its favorite cryptocurrency to mine at the expense of its victims is Monero. This is due to the simplicity of mining XMR compared to Bitcoin (BTC), where stolen GPU and CPU cycles can be used for resolving hashes. Recently, Check Point has once again discovered the growing number of infections by a new Monero-based cryptojacking malware, they call it Trojan.Win32.Fsysna. It is one of the most disruptive cryptojacking malware created, as it is not only mining Monero in the background but is designed to take a hold of the entire network once it infects one machine.
“The highlight of this variant is the use of legitimate IT administration tools, Windows system tools and previously disclosed Windows vulnerabilities in order to infect an entire network of PCs. The actors behind this campaign possess enough skills and experience to make this a potentially severe attack on any organization with no so easy steps for remediation. Mining has always been about scale. The more machines mining, the more the income. Once a single machine is breached in an enterprise, lateral movement allows for large scale compromise which means more machines mining,” explained Richard Clayton, Cyber Security Research team, CheckPoint software.
Trojan.Win32.Fsysna uses the opensource Mimikatz tool in order to propagate, as not all users have administrator privileges, the malware uses the Windows temp folder for its operations (all users regardless of privilege have read/write access to the temp folder). It has a capability to detect if the computer was infected with a previous version of itself and attempts to update it to its current version soon after. As by default, all non-essential ports are blocked by the built-in Windows firewall, Trojan.Win32.Fsysna uses Netsh tool which comes with Windows to open ports and attempt to connect to the command and control server for its Monero mining instructions. The reason why detection is difficult because the very code that mines Monero does not come with the trojan itself, but downloaded on-the-fly during the infection stage.
Further, into the infection stage, the malware will pretend itself under the name wmiex.exe inside the Windows System folder. It is network aware, able to reset the DNS cache, create a scheduled task in order to convert itself as a web server service running in the background. “The use of Windows legitimate tools such as CMD, WMI and networking tools in order to inflict damage to the system and establish persistence would make these attacks harder to detect without increasing false positive detection in the organization,” added Clayton.
The modular approach of Trojan.Win32.Fsysna gives its authors an easy way to further fine tune it to build more capabilities in the future. The authors can also change the predefined IP addresses of the command and control servers hardcoded in the malware anytime, evading detection by the antimalware software.
“The use of Open Source and script-based tools in order to make lateral movements in the organization, and increase infection rates in loosely secured organizations, also indicates the actors behind this campaigns are not entirely amateurs. To avoid being a victim of this attack we advise IT professionals to download patches and updates and ensure an advanced threat prevention solution is implemented across all parts of your IT network,” said Marcel Afrahim, Checkpoint’s Endpoint Security & Threat Intelligence developer.