Cryptocurrency miners basically do what they do with little fanfare or attempts at obfuscation, but one group of miners has been seen using a technique that allows the malware to make injections to 64-bit processes from 32-bit loaders.
Malwarebytes found this process being used in sample found in the wild that was a continuation of the Ngay campaign that used drive-by download attacks with the RIG exploit kit to drop malicious payloads and while not totally unusual it is an oddity when it comes to currency mining.
The 32-bit to 64-bit injection is not a new technique, but one developed back in 2009 and nicknamed Heaven's Gate. Malwarebytes noted that 64-bit systems are capable of running 32-bit programs by creating a 32-bit sub-system, essentially a 32-bit sandbox, where the software can operate properly and does not interact with the 64-bit environment that exists in the rest of the system.
In this case the malware first checks whether it is about to enter a 32-bit or 64-bit environment. If a 64-bit is spotted the malware creates a new, suspended 64-bit process in a Notepad where the malicious software will be dropped. In the sample found by Malwarebytes the injection was accomplished by using what appears to be a 64-bit version of Notepad, but what was in fact an xmrig Monero miner.
“So, at this moment we're confident that the notepad's image has been replaced in memory, most probably by the RunPE (Process Hollowing) technique. The main dropper is 32-bit, but it injects a payload into a 64-bit notepad,” Malwarebytes said.
The reason for utilising this technique has less to do with hiding any malicious actions, although that is often one reason why threat actors employ this, but instead to enable as many computers to be infected as possible, Malwarebytes said.