Pierluigi Paganini October 17, 2019

Researchers at Cyberbit spotted a crypto mining campaign that infected more than 50% of the European airport workstations. 

Security experts at Cyberbit have uncovered a crypto mining campaign that infected more than 50% of the European airport workstations. 

European airport systems were infected with a Monero cryptocurrency miner that was linked to the Anti-CoinMiner campaign discovered this summer by Zscaler researchers.  

“While rolling out Cyberbit’s  Endpoint Detection and Response (EDR) in an international airport in Europe, our researchers identified an interesting crypto mining infection, where cryptocurrency mining software was installed on more than 50% of the airport’s workstations.” reads the analysis published by Cyberbit.

Experts pointed out that the Monero miners were installed on the European airport systems, even if they were running an industry-standard antivirus. Threat actors were able to package the miner evading the detection of ordinary antivirus.

“The malware we found was first discovered by Zscaler more than a year ago,” continues Cyberbit. “It was modified just enough to evade the vast majority of existing signatures for it, with only 16 out of 73 detection products on VirusTotal detecting the sample as malicious.”

The good news is that the miner did not impact the airport’s operations.

Experts’ behavioral engine detected a suspicious usage of the PAExec tool used to execute an application named player.exe.

PAExec is a redistributable version of the legitimate Microsoft PSExec tool that is used to run Windows programs on remote systems without having to physically install software on them. The execution of the PAExec tool is often associated with an ongoing attack, in this case, hackers used it for to launch the Player executable “in system mode.”

Experts also observed the use of Reflective DLL Loading after running player.exe. The technique allows the attackers to remotely inject a DLL directly into a process in memory.

“This impacts the performance of other applications, as well as that of the airport facility. The use of administrative privileges also reduces the ability for security tools to detect the activity.” continues the report.

In order to gain persistence, attackers added an entry in the systems’ registries for the PAExec.

At the time, researchers were not able to determine how attackers infected the European Airport systems.

“Because the malware happened to be a cryptominer, its business impact was relatively minor, limited to performance degradations leading to quality of service and service interruptions, as well as a significant increase in power consumption throughout the airport.” concludes Cyberbit.

“In a worst-case scenario, attackers could have breached the IT network as a means to hop onto the airport’s OT network in order to compromise critical operational systems ranging from runway lights to baggage handling machines and the air-train, to name a few of the many standard airport OT systems that could be cyber-sabotaged to cause catastrophic physical damage,”

Pierluigi Paganini

(SecurityAffairs – European airport workstations, miner)

[adrotate banner=”5″]

[adrotate banner=”13″]