Crypto Mining Malware Uses Amazon’s Cloud to Hijack Computers

amazon cloud malware

A new survey by IBM Managed Security Services has revealed that hackers are increasingly hijacking computers to secretly mine cryptocurrencies, with one malware program hiding itself on Amazon’s cloud to siphon processing power.

The Xbooster malware has so far harvested $100,000 in Monero from infected Windows machines, according to the survey. Monero is more anonymous and more difficult to track than bitcoin, being in the ‘sweet spot’ as far as being a profitable cryptocurrency to mine with the computing resources required.

“There are always newer ways of compromising machines,” Krishna Narayanaswamy, founder and chief scientist of Netskope said. “It’s amazing how many machines these threat actors manage to infect.”

Hosted on the Amazon Web Services (AWS) cloud, the Xbooster malware uses a command-and-control server to install two programs on the infected machines: a manager that connects to the server and a monero miner. Unsuspecting victims accidentally install the malware by falling for a drive-by download link, typically delivered through a compromised website or an email campaign or malware bundled through freeware or shareware.

To avoid detection, the command-and-control module on the AWS keeps the infected machine’s CPU usage low enough not to have its user notice the spike. Endpoint security is a solution for everyday consumers at a time when even Amazon isn’t completely equipped to handle these threats.

“AWS employs a number of mitigation techniques, both manual and automated, to prevent the misuse of the services,” an AWS spokesman said in a statement. “We have automatic systems in place that detect and block many attacks before they leave our infrastructure. Our terms of usage are clear and when we find misuse we take action quickly and shut it down.”

Although the amount of money generated through crypto mining is relatively small, it’s a threat that is ongoing and hard to eradicate because it’s difficult to detect.

Image credit: LIFARS archive.