Microsoft: Cryptojackers Continue to Evolve to Be Stealthier and Spread Faster

  • Trojanized crypto-currency miners, also known as cryptojackers, continue to spread across computers around the world, while also becoming stealthier and increasingly avoiding detection.

    The data comes from Microsoft’s 365 Defender Research Team, who published a new analysis of cryptojackers on Thursday on its blog.

    “In the past several months, Microsoft Defender Antivirus detected cryptojackers on hundreds of thousands of devices every month,” read the technical write-up.

    “These threats also continue to evolve: recent cryptojackers have become stealthier, leveraging living-off-the-land binaries (LOLBins) to evade detection.”

    According to the Microsoft report, cryptojackers are using different tactics to force a device to mine cryptocurrency without a user’s knowledge or consent. The most common ones are potentially unwanted applications (PUAs) or malicious executable files placed on the devices and using system resources to mine cryptocurrencies.

    Additionally, Microsoft said cryptojackers are often created using the Javascript programming language and, in this case, infiltrate systems via browser. The technology giant also warned that some cryptojackers are fileless, and in this case, they perform mining in a device’s memory and achieve persistence by misusing legitimate tools and LOLBins.

    “This approach allows attackers to achieve their goals without relying on specific code or files,” Microsoft explained. “Moreover, the fileless approach enables cryptojackers to be delivered silently and evade detection. These make the fileless approach more attractive to attackers.”

    In this case, however, the malware can be detected by analyzing its engagement with the hardware, which it relies on for its mining algorithm.

    “Through its various sensors and advanced detection methodologies, including its integration with Intel TDT, Microsoft Defender Antivirus sees cryptojackers that take advantage of legitimate system binaries on more than 200,000 devices daily,” Microsoft said.

    The advisory comes weeks after Microsoft published a report detailing how a large-scale phishing campaign stole passwords, hijacked sign-in sessions and skipped the authentication process even if multi-factor authentication (MFA) was enabled.