I often have to demonstrate how ‘traditional’ AV can be bypassed. For example, if you want to steal credentials using mimikatz or similar, you can run it in memory with no files present on the target device. It looks like someone has been making money at airports using similar techniques…:
Cyberbit says its computer security software helped uncover a large infection of cryptocurrency mining software at an unnamed “international airport in Europe” where the majority of workstations were infected with active malware.
The company won’t name its client but in a blog post, its researchers said that standard types of anti-virus software would have failed to catch the crypto-miners, including the system the airport had deployed on its network.
Cyberbit’s Endpoint Detection and Response (EDR) technology analyzes system performance and user activities and looks for abnormal data. It was the high processing requirements of crypto-mining software that providing the clues that unauthorized processes were running.
Cyberbit researchers said that the intruders had created a variant of a known crypto-miner that allowed it to slip by computer security defenses heavily reliant on anti-virus software which rely on previously discovered signatures and models of attack.
Cyberbit’s approach is to look for abnormal behaviors in IT systems in real-time and identify attacks that carry no easily identifiable signature or method.
The discovery of the infected international airport creates the question: how many more international airports have unknown malware?