New detection method identifies cryptomining and other fileless malware attacks

SentinelOne and Intel announced a new method to detect cryptomining and cryptojacking attacks using hardware-based detection technology.

5 things you should know about fileless malware attacks Cybersecurity threats evolve quickly, and attackers are increasingly using tactics that don't require a payload or tricking someone into installing something. Here's what you need to know about fileless attacks.

Cryptomining and cryptojacking attacks have been on the rise since 2018, largely supplanting ransomware as the attack method of choice for malicious actors, as the potential income from a pool of devices mining for cryptocurrency is higher than ransomware. This increased popularity coincides with improved obfuscation methods used by criminals to avoid detection.

SentinelOne and Intel announced a new method for detecting these attacks on Wednesday, using a combination of Intel's silicon-level Threat Detection Technology (TDT) security technology and SentinelOne's autonomous endpoint protection console. A joint press release touts the new memory-based attack detection method as "a 10x improvement in scanning time with no increase in CPU usage," as well as a significant increase to detection rates.

SEE: Spectre and Meltdown: An insider's guide (Tech Pro Research)

As an initial reaction, this may seem underwhelming-the tendency of cryptoming attacks to consume the resources of an entire CPU core, combined with the performance degradation for legitimate tasks this entails, makes manually identifying these attacks relatively simple. Likewise, viewing and stopping a mysterious, resource-consuming task in Windows Task Manager or Linux equivalents such as top, is relatively trivial.

However, the level of obfuscation utilized by malicious actors makes this approach less than straightforward, as memory-based attacks-also known as fileless malware-make manual detection and traditional dictionary-based antimalware strategies less effective. "Malware, especially cryptominers, continually evolves to avoid detection, often hiding in memory or delivering malicious code directly into the memory of a system," said Intel Security general manager Jim Gordon, in a press release.

Intel TDT was first announced at the 2018 RSA security conference. Presently, TDT comprises two security products: Accelerated Memory Scanning, which uses the integrated graphics system to scan for malware in memory. Advanced Platform Telemetry attempts to combine diagnostic information with machine learning to more reliably detect threats. TDT is available on 6th generation (Skylake) and newer processors.

For more tips on how to avoid cryptomining and other malware attacks, check out this TechRepublic story.

Also see

istock-880896372.jpg
KeremYucel, Getty Images/iStockphoto

By James Sanders

James Sanders is a staff technology writer for TechRepublic. He covers future technology, including quantum computing, AI/ML, and 5G, as well as cloud, security, open source, mobility, and the impact of globalization on the industry, with a focus on ...