This process hollowing technique works by covering up a process with a secondary process. Specific arguments are required to trigger the malicious processes.
What did the researchers find?
Security experts from Trend Micro observed an increase in Monero mining malware recently. This particular campaign used process hollowing and a dropper component.
The infection routine
The dropper is a 64-bit binary that is packed with malicious code.
“Once executed with the correct arguments, the dropper drops and executes wakecobs.exe, a child process that will be created in a suspended state. Its memory will be unmapped and the dropper will then inject the malicious code onto it: an XMRig miner that runs unnoticed in the background,” say researchers.
Expert opinion
Researchers speculate that this campaign may have emerged at a time when cryptomining activities are on the decline, owing to the lesser number of competitors.
It is quite easy for other cybercriminals to take over this technique as well. Organizations must implement appropriate measures to ensure that its resources are not compromised by such threats.
Publisher