New Cryptojacking Malware Campaign Evades Detection using Process Hollowing

  • Researchers have spotted a new malware campaign that is mining for the Monero cryptocurrency. The campaign deploys Monero miner on Windows installations.
  • To evade detection, this campaign was seen to be using the process hollowing technique.

This process hollowing technique works by covering up a process with a secondary process. Specific arguments are required to trigger the malicious processes.

What did the researchers find?

Security experts from Trend Micro observed an increase in Monero mining malware recently. This particular campaign used process hollowing and a dropper component.

  • By itself, the dropped file evaded detection as it did not appear malicious in any way.
  • However, with the right arguments, it would start mining for the Monero cryptocurrency.
  • The campaign was recorded to be active in a number of countries including Kuwait, Pakistan, India, Thailand, Brazil, Bangladesh, and the United Arab Emirates. Its most active period is said to have begun in early November this year.

The infection routine

The dropper is a 64-bit binary that is packed with malicious code.

  • It checks for certain arguments upon execution and verifies them after unpacking.
  • The names of the functions used for malicious processes are also obfuscated.

“Once executed with the correct arguments, the dropper drops and executes wakecobs.exe, a child process that will be created in a suspended state. Its memory will be unmapped and the dropper will then inject the malicious code onto it: an XMRig miner that runs unnoticed in the background,” say researchers.

Expert opinion

Researchers speculate that this campaign may have emerged at a time when cryptomining activities are on the decline, owing to the lesser number of competitors.

It is quite easy for other cybercriminals to take over this technique as well. Organizations must implement appropriate measures to ensure that its resources are not compromised by such threats.