-
The Pulse of Fileless Cryptojacking Attacks: Malicious PowerShell Scripts
Authors:
Said Varlioglu,
Nelly Elsayed,
Eva Ruhsar Varlioglu,
Murat Ozer,
Zag ElSayed
Abstract:
Fileless malware predominantly relies on PowerShell scripts, leveraging the native capabilities of Windows systems to execute stealthy attacks that leave no traces on the victim's system. The effectiveness of the fileless method lies in its ability to remain operational on victim endpoints through memory execution, even if the attacks are detected, and the original malicious scripts are removed. T…
▽ More
Fileless malware predominantly relies on PowerShell scripts, leveraging the native capabilities of Windows systems to execute stealthy attacks that leave no traces on the victim's system. The effectiveness of the fileless method lies in its ability to remain operational on victim endpoints through memory execution, even if the attacks are detected, and the original malicious scripts are removed. Threat actors have increasingly utilized this technique, particularly since 2017, to conduct cryptojacking attacks. With the emergence of new Remote Code Execution (RCE) vulnerabilities in ubiquitous libraries, widespread cryptocurrency mining attacks have become prevalent, often employing fileless techniques. This paper provides a comprehensive analysis of PowerShell scripts of fileless cryptojacking, dissecting the common malicious patterns based on the MITRE ATT&CK framework.
△ Less
Submitted 21 February, 2024; v1 submitted 15 January, 2024;
originally announced January 2024.
-
Exploring the Journey to Drug Overdose: Applying the Journey to Crime Framework to Drug Sales Locations and Overdose Death Locations
Authors:
Murat Ozer,
Ismail Onat,
Halil Akbas,
Nelly Elsayed,
Zag ElSayed,
Said Varlioglu
Abstract:
Drug overdose is a pressing public health concern in the United States, resulting in a significant number of fatalities each year. In this study, we employ the Journey to Crime (JTC) framework borrowed from the field of environmental criminology to examine the association between drug sales locations and overdose death locations. In this research, our objective is to elucidate the trajectory of ov…
▽ More
Drug overdose is a pressing public health concern in the United States, resulting in a significant number of fatalities each year. In this study, we employ the Journey to Crime (JTC) framework borrowed from the field of environmental criminology to examine the association between drug sales locations and overdose death locations. In this research, our objective is to elucidate the trajectory of overdose victims to overdose locations, aiming to enhance the distribution of overdose services and interventions. To the best of our knowledge, no previous studies have applied the JTC framework to investigate drug overdose deaths. By scrutinizing data obtained from the Hamilton County, OH Coroners, and the Cincinnati Police Department, we endeavor to explore the plausible correlation between overdose deaths and drug sales locations. Our findings underscore the necessity of implementing a comprehensive strategy to curtail overdose deaths. This strategy should encompass various facets, including targeted efforts to reduce the accessibility of illicit drugs, the enhancement of responses to overdose incidents through a collaborative multidisciplinary approach, and the availability of data to inform evidence-based strategies and facilitate outcome evaluation. By shedding light on the relationship between drug sales locations and overdose death locations through the utilization of the JTC framework, this study contributes valuable insights to the field of drug overdose prevention. It emphasizes the significance of adopting multifaceted approaches to address this public health crisis effectively. Ultimately, our research aims to inform the development of evidence-based interventions and policies that can mitigate the occurrence and impact of drug overdoses in our communities.
△ Less
Submitted 31 May, 2023;
originally announced May 2023.
-
The Dangerous Combo: Fileless Malware and Cryptojacking
Authors:
Said Varlioglu,
Nelly Elsayed,
Zag ElSayed,
Murat Ozer
Abstract:
Fileless malware and cryptojacking attacks have appeared independently as the new alarming threats in 2017. After 2020, fileless attacks have been devastating for victim organizations with low-observable characteristics. Also, the amount of unauthorized cryptocurrency mining has increased after 2019. Adversaries have started to merge these two different cyberattacks to gain more invisibility and p…
▽ More
Fileless malware and cryptojacking attacks have appeared independently as the new alarming threats in 2017. After 2020, fileless attacks have been devastating for victim organizations with low-observable characteristics. Also, the amount of unauthorized cryptocurrency mining has increased after 2019. Adversaries have started to merge these two different cyberattacks to gain more invisibility and profit under "Fileless Cryptojacking." This paper aims to provide a literature review in academic papers and industry reports for this new threat. Additionally, we present a new threat hunting-oriented DFIR approach with the best practices derived from field experience as well as the literature. Last, this paper reviews the fundamentals of the fileless threat that can also help ransomware researchers examine similar patterns.
△ Less
Submitted 9 March, 2022; v1 submitted 7 March, 2022;
originally announced March 2022.
-
Explaining the Relationship between Internet and Democracy in Partly Free Countries Using Machine Learning Models
Authors:
Mustafa Sagir,
Said Varlioglu
Abstract:
Previous studies have offered a variety of explanations on the relationship between democracy and the internet. However, most of these studies concentrate on regions, specific states or authoritarian regimes. No study has investigated the influence of the internet in partly free countries defined by the Freedom House. Moreover, very little is known about the effects of online censorship on the dev…
▽ More
Previous studies have offered a variety of explanations on the relationship between democracy and the internet. However, most of these studies concentrate on regions, specific states or authoritarian regimes. No study has investigated the influence of the internet in partly free countries defined by the Freedom House. Moreover, very little is known about the effects of online censorship on the development, stagnation, or decline of democracy. Drawing upon the International Telecommunication Union, Freedom House, and World Bank databases and using machine learning methods, this study sheds new light on the effects of the internet on democratization in partly free countries. The findings suggest that internet penetration and online censorship both have a negative impact on democracy scores and the internet's effect on democracy scores is conditioned by online censorship. Moreover, results from random forest suggest that online censorship is the most important variable followed by governance index and education on democracy scores. The comparison of the various machine learning models reveals that the best predicting model is the 175-tree random forest model which has 92% accuracy. Also, this study might help "IT professionals" to see their important role not only in the technical fields but also in society in terms of democratization and how close IT is to social sciences.
△ Less
Submitted 10 April, 2020;
originally announced April 2020.
-
Is Cryptojacking Dead after Coinhive Shutdown?
Authors:
Said Varlioglu,
Bilal Gonen,
Murat Ozer,
Mehmet F. Bastug
Abstract:
Cryptojacking is the exploitation of victims' computer resources to mine for cryptocurrency using malicious scripts. It has become popular after 2017 when attackers started to exploit legal mining scripts, especially Coinhive scripts. Coinhive was actually a legal mining service that provided scripts and servers for in-browser mining activities. Nevertheless, over 10 million web users had been vic…
▽ More
Cryptojacking is the exploitation of victims' computer resources to mine for cryptocurrency using malicious scripts. It has become popular after 2017 when attackers started to exploit legal mining scripts, especially Coinhive scripts. Coinhive was actually a legal mining service that provided scripts and servers for in-browser mining activities. Nevertheless, over 10 million web users had been victims every month before the Coinhive shutdown that happened in Mar 2019. This paper explores the new era of the cryptojacking world after Coinhive discontinued its service. We aimed to see whether and how attackers continue cryptojacking, generate new malicious scripts, and developed new methods. We used a capable cryptojacking detector named CMTracker that proposed by Hong et al. in 2018. We automatically and manually examined 2770 websites that had been detected by CMTracker before the Coinhive shutdown. The results revealed that 99\% of sites no longer continue cryptojacking. 1\% of websites still run 8 unique mining scripts. By tracking these mining scripts, we detected 632 unique cryptojacking websites. Moreover, open-source investigations (OSINT) demonstrated that attackers still use the same methods. Therefore, we listed the typical patterns of cryptojacking. We concluded that cryptojacking is not dead after the Coinhive shutdown. It is still alive, but not as attractive as it used to be.
△ Less
Submitted 13 March, 2020; v1 submitted 7 January, 2020;
originally announced January 2020.
-
Plunge into the Underworld: A Survey on Emergence of Darknet
Authors:
Victor Adewopo,
Bilal Gonen,
Said Varlioglu,
Murat Ozer
Abstract:
The availability of sophisticated technologies and methods of perpetrating criminogenic activities in the cyberspace is a pertinent societal problem. Darknet is an encrypted network technology that uses the internet infrastructure and can only be accessed using special network configuration and software tools to access its contents which are not indexed by search engines. Over the years darknets t…
▽ More
The availability of sophisticated technologies and methods of perpetrating criminogenic activities in the cyberspace is a pertinent societal problem. Darknet is an encrypted network technology that uses the internet infrastructure and can only be accessed using special network configuration and software tools to access its contents which are not indexed by search engines. Over the years darknets traditionally are used for criminogenic activities and famously acclaimed to promote cybercrime, procurements of illegal drugs, arms deals, and cryptocurrency markets. In countries with oppressive regimes, censorship of digital communications, and strict policies prompted journalists and freedom fighters to seek freedom using darknet technologies anonymously while others simply exploit it for illegal activities. Recently, MIT's Lincoln Laboratory of Artificial Intelligence augmented a tool that can be used to expose illegal activities behind the darknet. We studied relevant literature reviews to help researchers to better understand the darknet technologies, identify future areas of research on the darknet and ultimately to optimize how data-driven insights can be utilized to support governmental agencies in unraveling the depths of darknet technologies. This paper focuses on the use of the internet for crimes, deanonymization of TOR-services, darknet a new digital street for illicit drugs, research questions and hypothesis to guide researchers in further studies. Finally, in this study, we propose a model to examine and investigate anonymous online illicit markets.
△ Less
Submitted 17 March, 2020; v1 submitted 7 January, 2020;
originally announced January 2020.
-
A Prevention and a Traction System for Ransomware Attacks
Authors:
Murat Ozer,
Said Varlioglu,
Bilal Gonen,
Mehmet F. Bastug
Abstract:
Over the past three years, especially following WannaCry malware, ransomware has become one of the biggest concerns for private businesses, state, and local government agencies. According to Homeland Security statistics, 1.5 million ransomware attacks have occurred per year since 2016. Cybercriminals often use creative methods to inject their malware into the target machines and use sophisticated…
▽ More
Over the past three years, especially following WannaCry malware, ransomware has become one of the biggest concerns for private businesses, state, and local government agencies. According to Homeland Security statistics, 1.5 million ransomware attacks have occurred per year since 2016. Cybercriminals often use creative methods to inject their malware into the target machines and use sophisticated cryptographic techniques to hold hostage victims' files and programs unless a certain amount of equivalent Bitcoin is paid. The return to the cybercriminals is so high (estimated \$1 billion in 2019) without any cost because of the advanced anonymity provided by cryptocurrencies, especially Bitcoin \cite{Paquet-Clouston2019}. Given this context, this study first discusses the current state of ransomware, detection, and prevention systems. Second, we propose a global ransomware center to better manage our concerted efforts against cybercriminals. The policy implications of the proposed study are discussed in the conclusion section.
△ Less
Submitted 17 March, 2020; v1 submitted 7 January, 2020;
originally announced January 2020.
-
A Rule-Based Model for Victim Prediction
Authors:
Murat Ozer,
Nelly Elsayed,
Said Varlioglu,
Chengcheng Li,
Niyazi Ekici
Abstract:
In this paper, we proposed a novel automated model, called Vulnerability Index for Population at Risk (VIPAR) scores, to identify rare populations for their future shooting victimizations. Likewise, the focused deterrence approach identifies vulnerable individuals and offers certain types of treatments (e.g., outreach services) to prevent violence in communities. The proposed rule-based engine mod…
▽ More
In this paper, we proposed a novel automated model, called Vulnerability Index for Population at Risk (VIPAR) scores, to identify rare populations for their future shooting victimizations. Likewise, the focused deterrence approach identifies vulnerable individuals and offers certain types of treatments (e.g., outreach services) to prevent violence in communities. The proposed rule-based engine model is the first AI-based model for victim prediction. This paper aims to compare the list of focused deterrence strategy with the VIPAR score list regarding their predictive power for the future shooting victimizations. Drawing on the criminological studies, the model uses age, past criminal history, and peer influence as the main predictors of future violence. Social network analysis is employed to measure the influence of peers on the outcome variable. The model also uses logistic regression analysis to verify the variable selections. Our empirical results show that VIPAR scores predict 25.8% of future shooting victims and 32.2% of future shooting suspects, whereas focused deterrence list predicts 13% of future shooting victims and 9.4% of future shooting suspects. The model outperforms the intelligence list of focused deterrence policies in predicting the future fatal and non-fatal shootings. Furthermore, we discuss the concerns about the presumption of innocence right.
△ Less
Submitted 7 March, 2022; v1 submitted 5 January, 2020;
originally announced January 2020.