Hackers are using cryptojacking malware as a cover for more serious attacks, according to a report published by security researchers at Microsoft.
In a paper published by the tech company’s intelligence team, malicious actors are fronting attacks with cryptojacking scripts to present a decoy from more significant attacks, namely credential theft.
The report identifies a malicious group called BISMUTH, which has attacked a number of targets linked to governments in Vietnam and France in recent weeks. Ostensibly these have presented as cryptojacking attacks, harnessing excess processing power to mine for digital currency.
However, the report says this is merely generating incidental income for the group, while they focus on the real target of their efforts—the theft of credentials which allow access to sensitive government systems.
The group have deployed the attacks using a cryptojacking script that mines for Monero, the secretive privacy coin often associated with hacking attacks and illegality. According to the researchers, the script is somewhat more conspicuous than they would ordinarily expect, with minimal efforts made to cover tracks.
The paper said this strategy “allowed BISMUTH to hide its more nefarious activities behind threats that may be perceived to be less alarming because they’re ‘commodity’ malware.”
According to Microsoft, this fits the group’s preferred MO, one of “hiding in plain sight.” The report concludes by urging organizations to be aware of the risks of cryptojacking as a decoy, and to take steps to identify and prevent attacks of this kind from taking hold.
Monero cryptojacking as an attack in its own right has exploded in recent years, infecting systems around the world to divert processing power to mining cryptocurrency for hacking groups.
The more sophisticated style exhibited by BISMUTH is further cause for concern for organizations safeguarding sensitive state information, as well as threatening core systems for public administration.