New Crypto-Mining Malware Uses Amazon’s Cloud to Hijack Computers

Hackers are increasingly hijacking computers to secretly mine crypto assets. Such exploits surged last year, according a survey by IBM Managed Security Services. One recently discovered malware program is hiding itself on Amazon’s cloud to steal processing power from a fleet of ordinary computers.

So far, the “Xbooster” malware has infected enough machines using Windows operating systems to harvest approximately $100,000 worth of monero, according to Krishna Narayanaswamy, founder and chief scientist of Netskope. Hackers are pirating computers to mine monero, which is more difficult to track than bitcoin, because it’s in the “sweet spot” of the amount of processing power required and the monetary benefit from doing so.

“There are always newer ways of compromising machines,” Narayanaswamy said. “It’s amazing how many machines these threat actors manage to infect.”

The Xbooster malware is hosted in the cloud on Amazon Web Services (AWS), according to Netskope. From there, a command-and-control server installs two programs on infected machines: A monero miner and a manager that connects to the server.

People accidentally install this malware on their computers by clicking a link in a “drive-by download.” This usually happens through an e-mail campaign, a compromised website that shows up in search results, or the malware may be bundled with other types of programs like freeware or shareware, Narayanaswamy said.

“AWS employs a number of mitigation techniques, both manual and automated, to prevent the misuse of the services,” an AWS spokesman said in a statement. “We have automatic systems in place that detect and block many attacks before they leave our infrastructure. Our terms of usage are clear and when we find misuse we take action quickly and shut it down.”

To mine crypto assets, computers compete to solve complex mathematical calculations and confirm transactions within the network to generate digital tokens. But doing so requires substantial processing power, or CPU usage, which is why hackers have to pirate a large number of machines to be effective. Bitcoin has become far too difficult for hackers to mine—these days it requires massive warehouses stocked with specialized computers to be successful—but less widely used cryptos like monero still provide an opportunity for smaller, distributed operations.

Netskope says it doesn’t know who the hackers are or where they’re located. While the amount of money the malware has generated for its owners is relatively small, the threat is ongoing and difficult to detect.

To avoid detection, the command-and-control module residing on AWS keeps the infected computer’s CPU usage low enough that its owner is unlikely to notice. Narayanaswamy says “endpoint security” can help with this type of security for everyday consumers.

“It’s an ongoing issue and we need to educate people about adopting security solutions,” he said. “It’s not going away.”