Monero-mining malware found in the European international airport

Security researchers uncovered crypto-malware that affected over 50% of the systems of an unknown European airport

Cyberbit security researchers uncovered that more than 50% of unknown European airport's computers were infected with crypto-mining malware

Cyberbit research team detected a new strain of malware that was mining Monero cryptocurrency on more than 50% of the affected airport's computers. The analyzed malware turned out to be related to the XMRig-based^[1] Anti-CoinMiner campaign that was described by Zscaler back in August 2018^[2] – malicious programs were spread through phishing websites that deemed to protect users from crypto-mining malware.

Researchers reported^[3] that the findings “raised concerns,” as the malware was able to invade a large portion of systems without being stopped, despite the anti-virus programs with real-time protection feature being present on all machines. However, the malicious activity was noticed only because of behavioral analysis procedures implemented by Endpoint Detection and Response (EDR) technology.

While the malware was contained, it is yet unknown how long it stayed on the infected machines, as Cyberbit's Endpoint Detection and Response software were not implemented before. Due to this fact, the implications of this attack might be significant – hackers may have breached sensitive information that is stored on the system of the airport, which puts several operations of the airport at risk:

In a worst-case scenario, attackers could have breached the IT network as a means to hop onto the airport’s OT network in order to compromise critical operational systems ranging from runway lights to baggage handling machines and the air-train, to name a few of the many standard airport OT systems that could be cyber-sabotaged to cause catastrophic physical damage.

Repeated launches of PAExec redistributable allowed Cyberbit's EDR to detect malware

The malware was leveraging a version of PSExec (a legitimate tool from Microsoft which allows executing processes remotely), which was launched by hackers repeatedly:

During this process, our behavioral engine alerted on suspicious use of the PAExec tool. The tool was used multiple times over a short period to launch an application named player.exe. PAExec is a redistributable version of Microsoft’s PSExec, used for running Windows programs on remote systems without having to physically install software on these systems. The use of PAExec is often an indication of malicious activity, moreover the repeated use of the tool.

The component allowed the attackers to escalate the privileges on the host system and, besides launching malicious executable player.exe, also allowed the use of Reflective DLL Loading – the technique allows process injection of a DLL file without using the space of a hard drive and avoids detection of AVs.

Cyberbit's researchers said that, even though malware was first discovered over a year ago, only a few modifications to its code managed to warrant low detection rates – only 16 out of 73 vendors managed to detect the sample analyzed by the security firm.^[4]

Both of the mentioned techniques triggered Cyberbit's EDR behavioral analysis alarms, which consequently managed to stop the attack. Fortunately, besides using an increased amount of electricity and slowing down the infected systems run in the airport, its functions were not interrupted due to the incident.

Fileless infection is becoming a huge problem to security solutions

The fileless infection method is becoming more prevalent among cybercriminals. Just recently, Microsoft reported about Nodersok – a fileless malware that brings its own LOLBins to perform its tasks.^[5] The malware was also contained with the help of behavioral analysis, similarly to this case.

Precisely due to this reason, Cyberbit security experts urge organizations to take care of its systems' security and not only limit security procedures to anti-virus software alone and employ solutions that are capable of detecting post-infection indicators:

We advise corporate customers not to rely on AV alone. To reach an optimal combination of prevention and detection, we strongly suggest complementing AV with EDR, which uses behavioral analysis (which doesn’t rely on signatures or IoCs). With the increased convergence of IT and OT networks, we strongly urge airports to also ramp up the protection of their OT network, which is used to control physical airport systems.

This incident, however, raises a big question of whether other airports and organizations from different industries are affected by malware, which could potentially let the attackers hijack the systems and put people's lives at risk.