New detection method identifies cryptomining and other fileless malware attacks. SentinelOne and Intel announced a new method to detect cryptomining and cryptojacking attacks using hardware-based detection technology.
Cryptomining and cryptojacking attacks have been on the rise since 2018. Largely supplanting ransomware as the attack method of choice for malicious actors. As the potential income from a pool of devices mining for cryptocurrency is higher than ransomware. This increased popularity coincides with improved obfuscation methods used by criminals to avoid detection.
New detection method identifies cryptomining and other fileless malware attacks. SentinelOne and Intel announced a new method for detecting these attacks on Wednesday. Using a combination of Intel’s silicon-level Threat Detection Technology (TDT) security technology and SentinelOne’s autonomous endpoint protection console. A joint press release touts the new memory-based attack detection method as:
“a 10x improvement in scanning time with no increase in CPU usage,”
translating to, a significant increase to detection rates.
As an initial reaction, this may seem underwhelming-the tendency of cryptoming attacks to consume the resources of an entire CPU core, combined with the performance degradation for legitimate tasks this entails, makes manually identifying these attacks relatively simple. Likewise, viewing and stopping a mysterious, resource-consuming task in Windows Task Manager or Linux equivalents such as top, is relatively trivial.
However, the level of obfuscation utilized by malicious actors makes this approach less than straightforward, as memory-based attacks-also known as fileless malware-make manual detection and traditional dictionary-based antimalware strategies less effective. “Malware, especially cryptominers, continually evolves to avoid detection, often hiding in memory or delivering malicious code directly into the memory of a system,” said Intel Security general manager Jim Gordon, in a press release.
Intel TDT was first announced at the 2018 RSA security conference. Presently, TDT comprises two security products: Accelerated Memory Scanning, which uses the integrated graphics system to scan for malware in memory. Advanced Platform Telemetry attempts to combine diagnostic information with machine learning to more reliably detect threats. TDT is available on 6th generation (Skylake) and newer processors.