On January 17 2019, Symantec discovered several potentially unwanted applications (PUAs) on the Microsoft Store that surreptitiously use the victim’s CPU power to mine cryptocurrency.
Symantec immediately reported these apps to Microsoft and they subsequently removed them from their store.

The apps, which included those for computer and battery optimization tutorial, internet search, web browsers, and video viewing and download, came from three developers: DigiDream, 1clean, and Findoo. In total, we discovered eight apps from these developers that shared the same risky behavior. After further investigation, we believe that all these apps were likely developed by the same person or group.

Users may get introduced to these apps through the top free apps lists on the Microsoft Store or through keyword search. The samples found run on Windows 10, including Windows 10 S Mode. As soon as the apps are downloaded and launched, they fetch a coin-mining JavaScript library by triggering Google Tag Manager (GTM) in their domain servers. The mining script then gets activated and begins using the majority of the computer’s CPU cycles to mine Monero for the operators. Although these apps appear to provide privacy policies, there is no mention of coin mining on their descriptions on the app store.

The apps were published between April and December 2018, with most of them published toward the end of the year. Even though the apps were on the app store for a relatively short period of time, a significant number of users may have downloaded them. Although Symantec can’t get exact download or installation counts, there were almost 1,900 ratings posted for these apps.

However, app ratings can be fraudulently inflated, so it is difficult to know how many users really downloaded these apps.

When each app is launched, the domain is silently visited in the background and triggers GTM with a key, which is shared across all eight applications.
GTM is a legitimate tool that allows developers to inject JavaScript dynamically into their applications. However, GTM can be abused to conceal malicious or risky behaviors. By monitoring the network traffic from these apps, Symantec found that they all connected to the same remote location, which is a coin-mining JavaScript library. The apps then access their own GTM and activate the mining script.

After decoded, Symantec found that it was a version of the Coinhive library. Coinhive is a script that mines Monero. Since the Coinhive service was launched in September 2017, there have been many reports of it being used for cryptojacking without site visitors’ knowledge.

Symantec also investigated the miner activation code on GTM, and the key source code and observed that the miner crawls with a key which serves as the wallet for Coinhive. These apps fall under the category of Progressive Web Applications, which are installed as a Windows 10 app running independently from the browser, in a standalone window.

From the apps’ network traffic, Symantec found the hosting server for each app. Through a Whois query, it was found that all of these servers actually have the same origin. Therefore, these apps were most likely published by the same developers using different names.

Microsoft and Google were immediately informed by Symantec about these apps’ behaviors. Microsoft has removed the apps from their store. The mining JavaScript has also been removed from Google Tag Manager.

The post Cryptojacking Apps Found on Microsoft Store appeared first on Shane the Gamer.

Cyber criminals are rapidly adding cryptojacking to their arsenal and creating a highly profitable new revenue stream, as the ransomware market becomes overpriced and overcrowded, according to Symantec’s Internet Security Threat Report (ISTR), Volume 23, released today.

“Cryptojacking is a rising threat to cyber and personal security,” said Mike Fey, president and COO, Symantec. “The massive profit incentive puts people, devices and organisations at risk of unauthorised coinminers siphoning resources from their systems, further motivating criminals to infiltrate everything from home PCs to giant data centres.”

Symantec’s ISTR provides a comprehensive view of the threat landscape, including insights into global threat activity, cyber criminal trends and motivations for attackers. The report analyses data from the Symantec Global Intelligence Network, the largest civilian threat collection network in the world which tracks over 700,000 global adversaries, records events from 126.5 million attack sensors worldwide, and monitors threat activities in over 157 countries and territories.

During the past year, an astronomical rise in cryptocurrency values triggered a cryptojacking gold rush with cyber criminals attempting to cash in on a volatile market. Detections of coinminers on endpoint computers increased by 8,500 percent in 2017.

With a low barrier of entry – only requiring a couple lines of code to operate – cyber criminals are harnessing stolen processing power and cloud CPU usage from consumers and enterprises to mine cryptocurrency. Coinminers can slow devices, overheat batteries, and in some cases, render devices unusable. For enterprise organisations, coinminers can put corporate networks at risk of shutdown and inflate cloud CPU usage, adding cost.

“Now you could be fighting for resources on your phone, computer or IoT device as attackers use them for profit,” said Kevin Haley, director, Symantec Security Response. “People need to expand their defences or they will pay for the price for someone else using their device.”

IoT devices continue to be ripe targets for exploitation. Symantec found a 600 percent increase in overall IoT attacks in 2017, which means that cyber criminals could exploit the connected nature of these devices to mine en masse. Macs are not immune either with Symantec detecting an 80 percent increase in coin mining attacks against Mac OS. By leveraging browser-based attacks, criminals do not need to download malware to a victim’s Mac or PC to carry out cyber attacks.

The number of targeted attack groups is on the rise with Symantec now tracking 140 organised groups. Last year, 71 percent of all targeted attacks started with spear phishing – the oldest trick in the book – to infect their victims. As targeted attack groups continue to leverage tried and true tactics to infiltrate organisations, the use of zero-day threats is falling out of favour. Only 27 percent of targeted attack groups have been known to use zero-day vulnerabilities at any point in the past.

The security industry has long discussed what type of destruction might be possible with cyber attacks. This conversation has now moved beyond the theoretical, with one in ten targeted attack groups using malware designed to disrupt.

Symantec identified a 200 percent increase in attackers injecting malware implants into the software supply chain in 2017. That’s equivalent to one attack every month as compared to four attacks the previous year. Hijacking software updates provides attackers with an entry point for compromising well-guarded networks. The Petya outbreak was the most notable example of a supply chain attack. After using Ukrainian accounting software as the point of entry, Petya used a variety of methods to spread laterally across corporate networks to deploy its malicious payload.

Threats in the mobile space continue to grow year-over-year, including the number of new mobile malware variants which increased by 54 percent. Symantec blocked an average of 24,000 malicious mobile applications each day last year. As older operating systems continue to be in use, this problem is exacerbated. For example, with the Android operating system, only 20 percent of devices are running the newest version and only 2.3 percent are on the latest minor release.

Mobile users also face privacy risks from grayware apps that aren’t completely malicious but can be troublesome. Symantec found that 63 percent of grayware apps leak the device’s phone number. With grayware increasing by 20 percent in 2017, this isn’t a problem that’s going away.

In 2016, the profitability of ransomware led to a crowded market. In 2017, the market made a correction, lowering the average ransom cost to US$522 and signaling that ransomware has become a commodity. Many cyber criminals may have shifted their focus to coin mining as an alternative to cashing in while cryptocurrency values are high.

Additionally, while the number of ransomware families decreased, the number of ransomware variants increased by 46 percent, indicating that criminal groups are innovating less but are still very productive.

The post Cryptojacking Skyrockets to the Top of the Attacker Toolkit appeared first on Shane the Gamer.