Blog

Crypto

サイバー犯罪者が暗号通貨を利用して利益を得る方法

サイバー犯罪者が暗号通貨を利用して利益を得る方法Default blog imageDefault blog image
21
Jun 2022
21
Jun 2022

Cryptocurrencies have become increasingly mainstream in recent years, and opportunistic threat actors have not been slow to cash in.

Long before the peak values recorded in 2021, Darktrace reported on the close relationship between the value of cryptocurrency and the prevalence of malicious crypto-mining activity, commonly referred to as ‘crypto-jacking’. Since then, we have reported crypto-jacking from botnets, rogue insiders, compromised IoT devices, and even as a precursor to ransomware.

Now, the Darktrace SOC team reports on how the prolific Sysrv botnet is evolving to evade traditional cyber defenses in order to mine cryptocurrency on vulnerable Internet-facing machines. By pivoting to Pastebin for command and control infrastructure, the malware is better able to remain hidden from tools using signature-based threat detection.

Recently, however, Darktrace AI was able to identify a server compromised by Sysrv despite it being a pre-existing infection. Darktrace autonomously grouped the server into a ‘peer group’ of similar devices, recognizing the behavior as anomalous in comparison to the wider group. The same technique was used to find a pre-existing Trojan hiding in an energy grid in 2020.

Evolution of the Sysrv botnet

The Sysrv botnet has a rich history in adapting new techniques in order to remain relevant. When the botnet was first identified in early 2020, it made its name for its use of the GO language (‘Golang’). It allowed the malware authors to target multiple operating systems. While financially motivated cyber criminals have traditionally targeted the widely used Windows OS, the proliferation of IoT devices using Linux OS has made them an attractive target, especially for those looking to make a quick buck from crypto-mining.

More recent Sysrv variants have come equipped with a host of exploits, ready to make the most of the diverse set of security holes it may encounter. Many are added to the malware’s tool kit just days after the public release of a new vulnerability, demonstrating the sophistication of the attackers.

The botnet has also proven adaptable in which cryptocurrency it chooses to mine. The bots switched to Nano in 2021 during the currency’s boom in value, but more recently reverted to Monero. Monero is a mainstream cryptocurrency and, similar to Bitcoin, is expected to hold its value better than other currencies in the notoriously volatile crypto markets. Monero mining also has a technical advantage, in that it runs efficiently on CPUs. Other cryptocurrencies prefer GPUs and ASICs, which are unlikely to be found in the server environments targeted by Sysrv.

The storyline of botnet malware such as Sysrv over the last few years shows the sophistication and creativity of cyber criminals out to cash in on crypto. These advancements and adaptations will continue to surface, but with the upcoming launch of Darktrace Prevent, defenders can prepare their organizations against the most sophisticated attacks.

With Darktrace Attack Surface Management, organizations discover potential weak points in their exposed environments, and take action before attackers can. In the case of the Sysrv botnet, which preys on vulnerable Internet-facing machines, Attack Surface Management will be able to identify machines and proactively harden defenses before an attack like Sysrv could strike.

Darktrace Attack Surface Management forms just one part of Darktrace Prevent, a product family that also empowers defenders to model likely attack paths, intelligently prioritize vulnerabilities, simulate attacks, and more.

Insights gained are then fed into Darktrace’s Detect and Respond capabilities, hardening defenses and protecting organizations from the full range of cyber-threats – from crypto-jacking and supply chain compromise to phishing and spoofing attacks.

Sysrv-hello botnet infection discovery: Read the technical deep-dive

More in this series:

該当する項目はありません。

Like this and want more?

Receive the latest blog in your inbox
ありがとうございます!あなたの投稿を受け取りました。
フォームを送信する際に何らかの問題が発生しました。
INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Oakley Cox
Analyst Technical Director, APAC

Oakley is a technical expert with 5 years’ experience as a Cyber Analyst. After leading a team of Cyber Analysts at the Cambridge headquarters, he relocated to New Zealand and now oversees the defense of critical infrastructure and industrial control systems across the APAC region. His research into cyber-physical security has been published by Cyber Security journals and CISA. Oakley is GIAC certified in Response and Industrial Defense (GRID), and has a Doctorate (PhD) from the University of Oxford.

PRODUCT SPOTLIGHT
該当する項目はありません。
This Article
サイバー犯罪者が暗号通貨を利用して利益を得る方法
Share
Twitter logoLinkedIn logo

Good news for your business.
Bad news for the bad guys.

無償トライアルを開始

無償トライアルを開始

柔軟な導入
仮想的にインストールすることも、ハードウェアでインストールすることも可能です。
迅速なインストール
設定時間はわずか1時間、メールセキュリティのトライアルはさらに短時間で完了します。
製品を選ぶ
クラウド、ネットワーク、Eメールなど、最も必要とされる領域で自己学習型AIの能力をお試しください。
購入義務なし
Darktrace Threat Visualizerと組織毎にカスタマイズされた3回の脅威レポートへのフルアクセスを提供しますが、購入の義務はありません。
For more information, please see our Privacy Notice.
ありがとうございます!あなたの投稿を受け取りました。
フォームを送信する際に何らかの問題が発生しました。

デモを見る

柔軟な導入
仮想的にインストールすることも、ハードウェアでインストールすることも可能です。
迅速なインストール
設定時間はわずか1時間、メールセキュリティのトライアルはさらに短時間で完了します。
製品を選ぶ
クラウド、ネットワーク、Eメールなど、最も必要とされる領域で自己学習型AIの能力をお試しください。
購入義務なし
Darktrace Threat Visualizerと組織毎にカスタマイズされた3回の脅威レポートへのフルアクセスを提供しますが、購入の義務はありません。
ありがとうございます!あなたの投稿を受け取りました。
フォームを送信する際に何らかの問題が発生しました。