Blog

Crypto

Comment les cybercriminels tirent profit de la cryptographie

Comment les cybercriminels tirent profit de la cryptographieDefault blog imageDefault blog image
21
Jun 2022
21
Jun 2022

Cryptocurrencies have become increasingly mainstream in recent years, and opportunistic threat actors have not been slow to cash in.

Long before the peak values recorded in 2021, Darktrace reported on the close relationship between the value of cryptocurrency and the prevalence of malicious crypto-mining activity, commonly referred to as ‘crypto-jacking’. Since then, we have reported crypto-jacking from botnets, rogue insiders, compromised IoT devices, and even as a precursor to ransomware.

Now, the Darktrace SOC team reports on how the prolific Sysrv botnet is evolving to evade traditional cyber defenses in order to mine cryptocurrency on vulnerable Internet-facing machines. By pivoting to Pastebin for command and control infrastructure, the malware is better able to remain hidden from tools using signature-based threat detection.

Recently, however, Darktrace AI was able to identify a server compromised by Sysrv despite it being a pre-existing infection. Darktrace autonomously grouped the server into a ‘peer group’ of similar devices, recognizing the behavior as anomalous in comparison to the wider group. The same technique was used to find a pre-existing Trojan hiding in an energy grid in 2020.

Evolution of the Sysrv botnet

The Sysrv botnet has a rich history in adapting new techniques in order to remain relevant. When the botnet was first identified in early 2020, it made its name for its use of the GO language (‘Golang’). It allowed the malware authors to target multiple operating systems. While financially motivated cyber criminals have traditionally targeted the widely used Windows OS, the proliferation of IoT devices using Linux OS has made them an attractive target, especially for those looking to make a quick buck from crypto-mining.

More recent Sysrv variants have come equipped with a host of exploits, ready to make the most of the diverse set of security holes it may encounter. Many are added to the malware’s tool kit just days after the public release of a new vulnerability, demonstrating the sophistication of the attackers.

The botnet has also proven adaptable in which cryptocurrency it chooses to mine. The bots switched to Nano in 2021 during the currency’s boom in value, but more recently reverted to Monero. Monero is a mainstream cryptocurrency and, similar to Bitcoin, is expected to hold its value better than other currencies in the notoriously volatile crypto markets. Monero mining also has a technical advantage, in that it runs efficiently on CPUs. Other cryptocurrencies prefer GPUs and ASICs, which are unlikely to be found in the server environments targeted by Sysrv.

The storyline of botnet malware such as Sysrv over the last few years shows the sophistication and creativity of cyber criminals out to cash in on crypto. These advancements and adaptations will continue to surface, but with the upcoming launch of Darktrace Prevent, defenders can prepare their organizations against the most sophisticated attacks.

With Darktrace Attack Surface Management, organizations discover potential weak points in their exposed environments, and take action before attackers can. In the case of the Sysrv botnet, which preys on vulnerable Internet-facing machines, Attack Surface Management will be able to identify machines and proactively harden defenses before an attack like Sysrv could strike.

Darktrace Attack Surface Management forms just one part of Darktrace Prevent, a product family that also empowers defenders to model likely attack paths, intelligently prioritize vulnerabilities, simulate attacks, and more.

Insights gained are then fed into Darktrace’s Detect and Respond capabilities, hardening defenses and protecting organizations from the full range of cyber-threats – from crypto-jacking and supply chain compromise to phishing and spoofing attacks.

Sysrv-hello botnet infection discovery: Read the technical deep-dive

More in this series:

Aucun élément trouvé.

Vous aimez ça et en voulez plus ?

Recevez le dernier blog dans votre boîte de réception
Merci ! Votre soumission a été reçue !
Oups ! Un problème est survenu lors de la soumission du formulaire.
DANS LE SOC
Darktrace sont des experts de classe mondiale en matière de renseignement sur les menaces, de chasse aux menaces et de réponse aux incidents. Ils fournissent une assistance SOC 24 heures sur 24 et 7 jours sur 7 à des milliers de clients Darktrace dans le monde entier. Inside the SOC est exclusivement rédigé par ces experts et fournit une analyse des cyberincidents et des tendances en matière de menaces, basée sur une expérience réelle sur le terrain.
AUTEUR
à propos de l'auteur
Oakley Cox
Analyst Technical Director, APAC

Oakley is a technical expert with 5 years’ experience as a Cyber Analyst. After leading a team of Cyber Analysts at the Cambridge headquarters, he relocated to New Zealand and now oversees the defense of critical infrastructure and industrial control systems across the APAC region. His research into cyber-physical security has been published by Cyber Security journals and CISA. Oakley is GIAC certified in Response and Industrial Defense (GRID), and has a Doctorate (PhD) from the University of Oxford.

share this article
PLEINS FEUX SUR LES PRODUITS
Aucun élément trouvé.
Couverture de base
Cet article
Comment les cybercriminels tirent profit de la cryptographie
Partager
Twitter logoLinkedIn logo

Bonne nouvelle pour votre entreprise.
Mauvaise nouvelle pour les méchants.

Commencez votre essai gratuit

Commencez votre essai gratuit

Livraison flexible
Vous pouvez l'installer virtuellement ou avec du matériel.
Installation rapide
Une heure seulement pour la mise en place - et encore moins pour un essai de sécurité du courrier électronique.
Choisissez votre voyage
Essayez Self-Learning AI là où vous en avez le plus besoin - y compris dans le cloud, sur le réseau ou par courriel.
Aucun engagement
Accès complet à Darktrace Threat Visualizer et à trois rapports sur mesure sur les menaces, sans obligation d'achat.
For more information, please see our Privacy Notice.
Merci ! Votre soumission a été reçue !
Oups ! Un problème est survenu lors de la soumission du formulaire.

Obtenez une démo

Livraison flexible
Vous pouvez l'installer virtuellement ou avec du matériel.
Installation rapide
Une heure seulement pour la mise en place - et encore moins pour un essai de sécurité du courrier électronique.
Choisissez votre voyage
Essayez Self-Learning AI là où vous en avez le plus besoin - y compris dans le cloud, sur le réseau ou par courriel.
Aucun engagement
Accès complet à Darktrace Threat Visualizer et à trois rapports sur mesure sur les menaces, sans obligation d'achat.
Merci ! Votre soumission a été reçue !
Oups ! Un problème est survenu lors de la soumission du formulaire.

Check out this article by Darktrace: How cyber criminals are cashing in on crypto