From drive-by download to drive-by mining: understanding the new paradigm

Friday 5 October 12:00 - 12:30, Green room

Jérôme Segura (Malwarebytes)



The online threat landscape has changed dramatically over the past year with the decline in exploit kit activity. Faced with a shift in browser market share and built-in exploit protection, attackers have had to resort to other techniques to turn a quick profit.

In this session, we will present a quick review of the decline in exploit kit activity which started with the death of Angler EK, an infamous and advanced toolkit to distribute malware via exploits. In the following months, there was a domino-like effect with several high-profile actors disappearing from the public scene completely or going private. Interestingly, many distribution campaigns via hacked websites also took a hit, either vanishing or being repurposed for social engineering attacks instead. Something similar happened with malvertising, which continued unabated but diversified into various scams instead.

There are various factors that contributed to this decline. For starters, the vulnerabilities used by these exploit kits started to age quite rapidly and were less effective against a newer operating system with auto-updates and exploit mitigation baked in. At the same time, the market share for Internet Explorer (the primary targeted browser) continued its rapid descent while Google Chrome became the unchallenged number one.

Separately, cryptocurrencies have soared dramatically in the past year, driven by the exponential rise in Bitcoin value observed by everyone with great interest. In addition, new forms of cryptocurrency, such as Monero, have gained rapid momentum and have become popular for their low system requirements. Indeed, you no longer need to possess a powerful rig in order to mine for coins - any average PC can now participate as well. This was an interesting development because it opened the door to mining by the masses and in ways rarely explored before.

This was particularly true for in-browser miners thanks to the API provided by the infamous Coinhive. It didn't take long before many publishers, advertisers and criminals jumped on the bandwagon and started pushing JavaScript code that performed cryptomining silently (if not for the occasional humming of the computer fans). Because the mining happened simply by visiting a legitimate or compromised website, without any user interaction, it strongly resembled the way drive-by downloads work. Following a backlash from the user community, who for the most part felt like they were never consulted in the first place, this triggered a knee-jerk reaction of blocking such miners via traditional methods (ad blockers/ IP and domain blacklists).

However, online criminals keep coming up with new evasion techniques by using obfuscated code, proxies and clever social engineering tricks, all designed to keep users in the dark while their machines are - more or less silently - mining for the latest and hottest coins.

We conclude this talk by taking a look ahead at what is expected to be a long cat and mouse battle for as long as the value of cryptocurrencies remains high.



Other VB2018 papers

VB2018 opening address

Martijn Grooten (Virus Bulletin)

Keynote address (TBA)

John Lambert (Microsoft)

Last-minute paper (TBA)