Computers in a European Airport Found to be Infected with Crypto Mining Malware

Researchers at Cyberbit disclosed that they have discovered a crypto mining malware that infected 50% of the workstations in one of the international airports in Europe despite the fact that these workstations were equipped with industry standard antivirus.

This latest cyber incident at one of the international airports in Europe shows that antivirus solution isn’t enough to shield organizations from malicious software (malware).

Malicious Activities

According to the researchers at Cyberbit, the malware was detected based on the suspicious use of the following: PAExec tool and Reflective DLL Loading.


PAExec is a redistributable version of Microsoft’s PSExec that enables a user to launch Windows programs on remote Windows computers without the need of installing first the software on the remote computer.

According to the researchers at Cyberbit, PAExec tool was used multiple times over a short period to launch the file named “player.exe”, a malware that illicitly steals the computing power of the infected computer to mine the cryptocurrency called “Monero”. The researchers said that the malware closely resembled the CryptoMiner Variant #2 reported by Zscaler with the vast majority of original malware’s signatures modified just enough to evade detection.

The researchers added that PAExec was exploited mainly for the purpose of privilege escalation, enabling the malware to run in system mode, making it difficult to detect this malware using the traditional antivirus. Running the malware in system mode also makes this malware to be prioritized over any other application for the use of the infected workstation resources.

Reflective DLL Loading

The researchers at Cyberbit also detected the malware which infected half of the workstations in one of the international airport in Europe because of the use of Reflective DLL loading after running player.exe.

According to the Microsoft Defender ATP Research Team, Reflective Dynamic-Link Library (DLL) loading, which can load a DLL into a process memory without using the Windows loader, is one of the methods used by attackers to maintain stealth and achieve persistence. The Microsoft Defender ATP Research Team said that a malware loaded using Reflective DLL loading may not be readily visible without forensic analysis – the process of inspecting whether executable memory has content resembling executable code.

According to the researchers at Cyberbit, the malware, which comes in a file named player.exe, used Reflective DLL Loading to load additional DLLs from memory. The researchers said that this allowed the malware to evade detection as the file isn’t fetched from the hard drive and wouldn’t go through file-based detection systems like antivirus (AV) and most next-generation antivirus (NGAV) solutions.

The researchers at Cyberbit added that aside from player.exe, the malicious file named “PAExec.exe” was added to the Registry, also known as startup folder, of the infected computers to provide persistence. Adding a program to the Registry will run the program referenced whenever a user logs in. Attackers use the Registry to execute malware to maintain persistence through system reboots.

Business Impact of Crypto Mining Malware

Crypto mining malware drains an infected computer its computing power to mine a cryptocurrency. The crypto mining malware discovered by researchers at Cyberbit in 50% of the workstations in one of the international airports in Europe used the infected computers to mine the cryptocurrency Monero.

The recently discovered malware, for instance, ran in system mode, making it a priority program over any other program for the use of infected workstation resources. In the context of an international airport operation, this gives priority to a crypto mining malware to be prioritized in using the computing resources of the infected computers, which in the end impacts the performance of other computer programs used by the airport.

Any version or type of illicit crypto mining hurts the business bottom line as this leads to computer degradation, leading to degradation in the quality of service and service interruptions, as well as an increase in power consumption. “In a worst-case scenario, attackers could have breached the IT network as a means to hop onto the airport’s OT network in order to compromise critical operational systems ranging from runway lights to baggage handling machines and the air-train, to name a few of the many standard airport OT systems that could be cyber-sabotaged to cause catastrophic physical damage,” researchers at Cyberbit said.

Origin of Malware Infection

To date, it’s still not known how the crypto mining malware got into the workstations of the international airport in the first place. Crypto mining malware discovered in recent years were implanted by negligent insiders, malicious insiders or malicious outsiders.

Negligent insiders, for instance, unwittingly install malware by clicking on malicious links or opening malicious attachments contained in malicious emails. Malicious insiders, on the other hand, intentionally install crypto mining malware on the workstations of the organizations they’re working as this type of malware enables them to earn cryptocurrency.

Malicious outsiders, in the past, were able to install crypto mining malware on workstations of many organizations by tricking staff to click on malicious links or open malicious attachments contained in malicious emails. Malicious outsiders also often exploit known software vulnerabilities.

While antivirus solutions are able to block many email-based malware and malware exploiting known software vulnerabilities, these traditional solutions aren’t enough to protect organizations as shown in the recently discovered malware affecting workstations in one of the international airports in Europe.

As you can see, crypto mining malware has a negative business impact and we can help you protect your IT infrastructure, today.

Please schedule a consultation with one of our security experts today by calling (416) 920-3000 or email us at

Leave a Reply

Your email address will not be published. Required fields are marked *