Security experts at Cyberbit have uncovered a crypto mining campaign that infected more than 50% of the European airport workstations.
European airport systems were infected with a Monero
“While rolling out Cyberbit’s Endpoint Detection and Response (EDR) in an international airport in Europe, our researchers identified an interesting crypto mining infection, where
Experts pointed out that the Monero miners were installed on the European airport systems, even if they were running an industry-standard antivirus. Threat actors were able to package the miner evading the detection of ordinary antivirus.
The good news is that the miner did not impact the airport’s operations.
Experts’ behavioral engine detected a suspicious usage of the PAExec tool used to execute an application named player.exe.
Experts also observed the use of Reflective DLL Loading after running player.exe. The technique allows the attackers to remotely inject a DLL directly into a process in memory.
“This impacts the performance of other applications, as well as that of the airport facility. The use of administrative privileges also reduces the ability for security tools to detect the activity.” continues the report.
In order to gain persistence, attackers added an entry in the systems’ registries for the PAExec.
At the time, researchers were not able to determine how attackers infected the European Airport systems.
“Because the malware happened to be a
“In a worst-case scenario, attackers could have breached the IT network as a means to hop onto the airport’s OT network in order to compromise critical operational systems ranging from runway lights to baggage handling machines and the air-train, to name a few of the many standard airport OT systems that could be cyber-sabotaged to cause catastrophic physical damage,”