Cryptojacking schemes are getting more and more intricate by the day. It appears hackers are now disguising cryptocurrency mining malware and passing it off as legitimate Windows installation packages.
Researchers say the malicious code, more commonly known as Coinminer, was specifically designed to fly under the radar. What makes the attack particularly difficult to detect is that it uses a series of obfuscation methods.
The discovery comes from security firm Trend Micro, which has since documented the attack vector at more length.
“The malware arrives on the victim’s machine as a Windows Installer MSI file, which is significant because Windows Installer is a legitimate appl used to install software,” the report reads. “Using a real Windows component makes it look less suspicious and potentially allows it to bypass certain security filters.”
The hackers’ trickery doesn’t stop there however.
The researchers note that, once installed, the malware directory contains various files acting as a decoy. Among other things, the installer comes with a script that counteracts any anti-malware processes running on your machine, as well as the actual cryptocurrency mining module.
The researchers also observed that the malware has a built-in self-destruct mechanism to cover its tracks.
“To make detection and analysis much more difficult, the malware also comes with a self-destruct mechanism,” the report says. “It deletes every file under its installation directory and removes any trace of installation in the system.”
While Trend Micro has been unable to link the attack to a specific country, it notes the installer uses Cyrillic. In all fairness, though, Cyrillic seems to be fairly popular among cryptocurrency criminals.