A new cryptojacking threat is using “drive-by” infection techniques to install Monero (BITFINEX: XMR / USD.BITFINEX) mining software, leeching processing power from ordinary users’ computers. According to Netskope, a cloud application analytics firm, the ‘Xbooster’ malware is hosted on the Amazon Web Services cloud (AWS), and can be accidentally downloaded when a user clicks on a “drive-by download” link, usually contained in a phishing e-mail or compromised website. As soon as this happens, a command-and-control server rolls out two programs: a Monero miner and manager which connects to the server.
Monero is the hackers’ currency of choice as it’s located in a “sweet spot” between energy consumption and monetary gain. While bitcoin mining can be easily identified by a sudden surge in electricity consumption, as it recently happened in the Chinese city of Tianjin, Monero mining can go relatively unnoticed. So far, Xbooster hackers have managed to harvest around $100000 worth of Monero by infecting Windows operating systems.
A spokesman for AWS said that the service “employs a number of mitigation techniques, both manual and automated, to prevent the misuse of the services. [AWS] has automatic systems in place that detect and block many attacks before they leave our infrastructure. Our terms of usage are clear and when we find misuse we take action quickly and shut it down.”
The malware’s CPU usage is so low, however, that both users and security firms are finding it hard to identify and eliminate the threat. Netskope, which originally discovered the malware, is still unable to identify and locate the hackers. According to the Netskope founder Krishna Narayanaswamy, everyday consumers can mitigate the threat by relying on “endpoint security”.
According to a study by IBM Managed Security Services, hacking related to digital currency mining has increased over the past year. Last year, Starbucks customers in Argentina compromised their devices once they connected to the cafe’s wi-fi network. In May, several months after the Starbucks incident, hackers mined Monero by infecting over 300 sites using the Drupal content management system. Monero mining malware was also recently found on Macs - users saw “a process named “mshelper” gobbling up their CPU time like the Cookie Monster.” The developer reassured users by clarifying that the malware isn’t very sophisticated and is fairly easy to remove.
“It’s an ongoing issue and we need to educate people about adopting security solutions, it’s not going away,” Narayanaswamy said.
By Nadya Astam