The cybersecurity products provider Cyberbit has recently reported that more than 50% of all computer systems at an international airport in Europe were infected by Monero mining malware.
The head of Cyberbit Research, Meir Brown, explained that this discovery of Monero mining malware took place recently, when the company installed one of its cybersecurity products at an international airport in Europe, whose name was not disclosed.
“Our researchers identified an interesting crypto mining infection, where cryptocurrency mining software was installed in more than 50% of the airport’s work stations”
The implemented product, called Cyberbit EDR (Endpoint Detection and Response), is an advanced platform for behavior detection and threat search. According to Brown, from a post-EDR implementation analysis, they managed to associate the malware “with the anti-Coinminer campaign reported by Zscaler in August 2018.”
Brown added concern about the ease with which this type of malware is installed on corporate networks, mocking current cybersecurity systems, explaining that the findings raise concerns about the ease of installing malicious software within corporate networks despite being protected by antivirus systems.
However, after further analysis, the malware “associated with CryptoMiner Variant #2 reported by Zscaler,” confirming that the file was a Monero xmrig miner. Brown noted that while warning of this malware since August last year, only 16 of 73 detection products managed to determine that the file was malicious. In this regard, Brown explained that malicious malware “was modified enough to evade the vast majority of existing signatures.”
According to Brown’s theory, the miner had priority over any other application for the use of workstation resources, affecting the performance of other applications and airport facilities. Brown added that “the use of administrative privileges also reduced the ability of security tools to detect activity.”
“Because the malware turned out to be a cryptocurrency, its commercial impact was relatively minor, limited to performance degradations that led to service quality and service interruptions, as well as a significant increase in energy consumption throughout the airport”
Brown noted that no workstation detected the malicious activity of the miner installed without consent; This is because they used a standard antivirus solution at the airport. Brown said they do not know how the malware arrived at the airport’s computer systems and that they removed the malware “from the organization’s endpoints and block its execution capacity.”
In late August, authorities in France discovered and closed a large number of botnets (network of computer robots or bots) responsible for installing non-consented mining malware from Monero (XMR) on thousands of computers in 140 countries, the main bot being located in France . French cybersecurity officials announced the deactivation of a botnet force of 850,000 strong servers operating in several countries, mainly in Latin America.
In early September, the multinational cybersecurity company and antivirus provider Kaspersky announced the discovery of cryptocurrency mining malware that was “hiding” on websites where pirated books and trials are uploaded and downloaded. According to Kaspersky, “malware pretends to be a book or essay packaged in an executable file that allows the hacker’s command and control system to send other pieces of malware, including cryptocurrency and spam delivery systems, to an infected computer. “