Microsoft Defender for Endpoint now works with Intel’s low level CPU hardware based Threat Detection Technology to spot and block cryptojacking malware.
Intel Threat Detection Technology (TDT) uses machine learning to analyse low level telemetry from the CPU’s performance monitoring subsystem to identify that cryptomining is happening and then signals Microsoft Defender to do something about it. Because the detection is happening in the silicon based on what the CPU is actually doing, the theory is existing evasion techniques employed by malware authors will simply not work. For example, the Intel TDT can spot cryptomining malware even if it is hidden inside a Virtual Machine spawned for the purpose and signal Microsoft Defender to shut down the VM. Intel TDT is built into the CPU, and is available on Intel vPro and Core chips that are 6th generation and later.
What is CryptoJacking?
Cryptojacking malware steals victim’s computing resources and electricity to mine crypto-currency on behalf of the malware creator. The cost of mining crypto-currency such as Monero is the cost of the computer system and the electricity to run it. By installing malware that contains mining software, criminals can essentially print money by using someone else’s computer and electricity bill to mine their crypto-currency.
Apart from a slow down in system performance, victims may not notice the arrival of the cryptojacking malware. With the current rise in cryptocurrency prices, cryptojacking is becoming an increasingly attractive alternative to ransomware for cyber criminals. For example, the Prometei botnet has recently started targeting Microsoft Exchange Servers unpatched against the ProxyLogon vulnerability to install cryptomining malware.