Linux targeted by illicit cryptocurrency miners

Illicit cryptocurrency mining, also known as cryptojacking, continues to gain momentum, with 98.8% of common Linux/Downloader malware variants in the first quarter of 2018 designed to deliver a Linux-based cryptocurrency miner.

This is a key finding of the latest Internet security report from WatchGuard Technologies, further underlining that crypto-mining malware is becoming a top tactic among cyber criminals.

Although cryptocurrency miners did not make Watchguard’s top 10 list, the report said there are many indicators that malware designed to steal processing power to mine cryptocurrency is on the rise.

The report details delivery mechanisms for crypto-miner attacks and explores other prevalent security threats targeting small to medium-sized businesses (SMBs) and distributed enterprises.

The findings are based on anonymised threat intelligence from nearly 40,000 active WatchGuard unified threat management (UTM) appliances worldwide, which blocked more than 23 million malware variants – an average of 628 per device – and more than 10 million network attacks (278 per device) in the first quarter of 2018.

“Our Threat Lab team has uncovered multiple indicators that suggest malicious crypto-miners are becoming a mainstay in cyber criminals’ arsenals and will continue to grow more dominant,” said Corey Nachreiner, chief technology officer at WatchGuard Technologies.

“While ransomware and other advanced threats are still a major concern, these new crypto-miner attacks illustrate that bad actors are constantly adjusting their tactics to find new ways to take advantage of their victims.”

According to Nachreiner, nearly half of all malware observed (46%) was able to slip past basic signature-based antivirus systems, which suggests criminals are continuing to use obfuscation to beat traditional antivirus technologies.

“One way that every organisation can become more secure against these sophisticated, evasive threats is to deploy defences enabled with advanced malware prevention,” he said.

WatchGuard UTM appliances block malware by combining legacy signature-based detection techniques with proactive behavioural detection technology.

The report found that for the first time, the Asia-Pacific (APAC) region accounted for the highest malware volume. In past reports, APAC has trailed the Europe, Middle-East and Africa (Emea) region and the Americas in the number of reported malware hits, by a wide margin. But in the first quarter, APAC received the most malware overall and the vast majority of these attacks were Windows-based malware and 98% were aimed at India and Singapore.

However, the report found that although malware using the publicly available Mimikatz tool to obtain credentials of all Windows users in plaintext, including local administrators and domain users, is widely used in the US, this approach is uncommon in APAC.

The report said the use of Mimikatz reappeared on WatchGuard’s top 10 malware list after several quarters of absence, with two-thirds of the detections in the US, while less than 0.1% of detections were in APAC, possibly because of the complexity of double-byte characters in countries such as Japan, which use a symbol-based language for passwords.

The Ramnit Trojan also reappeared for the first time since a brief resurgence in 2016, the report said, with 98.9% of WatchGuard’s Ramnit detections in the first quarter of the year being from Italy, indicating a targeted attack campaign.