Recently, several security teams have had to deal with some crypto mining malware attacks, which have been detected both in a WordPress plugin and in an European airport.
As far as the airport malware is concerned, the Cyberbit team found it directly on site during a security check. Using their EDR (Endpoint Detection and Response) the team found out that more than 50% of the PCs had been infected with crypto malware.
From the report, it is clear that the incriminated file player.exe, initiated by the PAExec tool, allowed to remotely access computers and then take control of them to install mining software.
As reported by the team, all the machines had installed a standard antivirus protection and therefore, in theory, they were supposed to be protected from this type of attack, but this was not the case because malware also updates and finds a different way to access the PCs, bypassing the traditional antivirus protections.
Crypto malware: WordPress also under attack
A similar system has also been used to place a crypto malware within a WordPress plugin. Via a website that contained this compromised plugin, wpframework, hackers were able to access the PCs where this WordPress plugin was installed, via a back door.
It is interesting to note that the plugin itself contained legitimate information, but it was in the code that the real crypto malware resided, which, with appropriate commands, was able to bypass the system and install a bitcoin mining system.
Crypto malware can be hidden in unthinkable places: only recently a malware that mines Monero has been discovered inside an audio file; even an advanced system like an airport can’t escape this kind of attack. But it could have been even worse, as happened in recent months in Baltimore, where the malware in question, a ransomware, has partially blocked the city.