Cybersecurity firm, Cyberbit discovered a cryptocurrency mining infection, “xmrig Monero miner,” which was installed at more than 50% workstations of an international airport in Europe.
Cyberbit researchers found the malware while running the firm’s Endpoint Detection and Response (EDR), advanced behavioral detection, and threat hunting program at the airport, according to the report on Thursday.
During a standard rollout process, Cyberbit installed its kernel-level EDR agents on the airport’s workstations. The agents collected endpoint activity of the workstations, with the data being centralized in a big-data repository where it is analyzed with a set of behavioral algorithms.
While examining the data collected, the behavioral engine alerted of the suspicious tool, PAExec, which was used multiple times in a short period to launch another application. According to Cyberbit, “the use of PAExec is often an indication of malicious activity, moreover the repeated use of the tool.”
“The malware was suspected to be a Bitcoin miner because of its behavior of executing multiple processes over a short timeframe, typical to a miner using system resources for its calculations,” Cyberbit noted.
Also, the engine detected the attacker used Reflective DLL Loading to mask the loading of malicious files. The technique is used to inject a DLL into a process remotely without using the Windows loader since it doesn’t access hard drives.
The two suspicious behaviors result in a high priority EDR alert, which required further procedures. Upon intensive analysis, the team associated the malware with the anti-coinminer campaign, which was previously reported by Zscaler in August 2018.
A lot of concerns were raised regarding the ease of installing malicious software within corporate networks with antivirus systems. “All workstations in the airport ran an industry-standard AV solution, which did not detect the malicious activity,” per the report.
Based on this, it is believed that the malware has been active for months despite its business impact was relatively minor because it was a crypto miner. However, its infection resulted in a low quality of service and service interruptions, and a significant increase in power consumption throughout the airport.