资源劫持是攻击者非法控制受害系统计算资源以执行加密货币挖矿、代理转发等恶意活动的技术手段。其通过滥用CPU、GPU、内存等资源,不仅影响系统性能,还可能破坏关键业务运行。传统防御手段主要通过监控异常资源占用率(如持续高CPU使用)、检测已知挖矿软件特征,或分析异常网络连接(如矿池通信)进行识别。
为规避传统检测机制,攻击者发展出高度隐蔽的资源劫持技术,通过虚拟化隐匿、进程寄生、动态调节等手法,将恶意资源消耗行为融入系统正常负载波动中,形成"低可感知、高持续性"的新型资源滥用模式。
当前资源劫持匿迹技术的核心在于构建资源消耗的动态平衡与行为伪装。攻击者通过虚拟化隔离特性模糊资源归属,将恶意负载嵌入容器、虚拟机等抽象层,规避主机监控;利用进程注入技术实现计算任务寄生,复用合法进程的资源配额与行为特征;引入智能调控算法使资源占用随系统负载自适应变化,消除异常峰值。三类技术的共性在于突破传统静态阈值检测逻辑,通过资源占用的时空分布优化与上下文环境适配,使恶意行为在微观层面表现为正常系统活动,在宏观层面维持长期隐蔽的资源窃取。
匿迹技术的演进导致传统基于资源峰值告警或进程特征匹配的防御体系面临挑战,防御方需构建多维资源时序分析模型,结合容器运行时安全监控、内存完整性校验等技术,并引入基于行为熵值计算的异常检测算法,实现对动态资源劫持行为的精准识别。
| 效应类型 | 是否存在 |
|---|---|
| 特征伪装 | ✅ |
| 行为透明 | ❌ |
| 数据遮蔽 | ✅ |
| 时空释痕 | ✅ |
攻击者通过进程注入和虚拟化封装,将恶意资源消耗行为伪装成合法进程活动。例如将挖矿模块嵌入浏览器进程内存空间,复用其网络连接通道,使资源占用特征与正常应用行为高度相似,规避基于进程特征的分析检测。
在容器化劫持场景中,攻击者利用服务网格的TLS加密通信隐藏挖矿流量,通过加密隧道传输算力数据,使网络层检测无法解析恶意载荷内容,掩盖资源滥用行为的通信特征。
动态资源配额调整技术通过智能算法将恶意负载的计算强度分散在长时间维度,使资源占用率始终随系统正常负载波动,避免形成持续高负载特征。这种时域上的行为稀释使得传统基于固定时间窗口的检测模型难以识别异常模式。
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0015 | Application Log | Application Log Content |
Monitor logs for software-as-a-service (SaaS) applications for signs of abuse. |
| DS0025 | Cloud Service | Cloud Service Modification |
Monitor for changes to SaaS services, especially when quotas are raised or when new services are enabled. |
| DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may indicate common cryptomining or proxyware functionality. |
| DS0022 | File | File Creation |
Monitor for common cryptomining or proxyware files on local systems that may indicate compromise and resource usage. |
| DS0029 | Network Traffic | Network Connection Creation |
Monitor for newly constructed network connections that are sent or received by untrusted hosts, look for connections to/from strange ports, as well as reputation of IPs and URLs related cryptocurrency hosts. |
| Network Traffic Content |
Monitor network traffic content for resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. Note: Destination Host Name is not a comprehensive list of potential cryptocurrency URLs. This analytic has a hardcoded domain name which may change. |
||
| Network Traffic Flow |
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |
||
| DS0009 | Process | Process Creation |
Monitor for common cryptomining or proxyware software process names that may indicate compromise and resource usage. |
| DS0013 | Sensor Health | Host Status |
Consider monitoring process resource usage to determine anomalous activity associated with malicious hijacking of computer resources such as CPU, memory, and graphics processing resources. |