Cryptomining: A Growing Threat

The rising prominence of cryptocurrencies worldwide incentivizes criminals to expand cryptocurrency mining operations, particularly when using compromised infrastructure forces others to bear any cost. In comparison with traditional targets of cybercrime, cryptocurrencies are also easily monetizable, as they are already relatively anonymous currency. Attackers must do little to extract usable value than possess the currencies they just mined.

Consequently, the number of incidents involving illicit installation of cryptocurrency miners is on the rise, and pose an increasing threat to enterprises. At the same time, hitherto legitimate or at least semi-legitimate actors are tempted to install miners where they employ others’ infrastructure.

Common Infection Vectors

As mining is a highly intensive task that requires significant resources from infected machines, as well as a significant amount of electricity, malicious actors use a variety of approaches to secretly hijack computer infrastructure (cryptojacking) and make others bear the operating costs. Theoretically, any attack that involves injecting executable code could turn a targeted system into a virtual coin miner for an attacker.

Webmining, one of the most popular cryptocurrency mining techniques, works by embedding code in a website that leverages the processing power of visiting devices to mine cryptocurrency, without the knowledge or permission of the website user.

It has been in use since 2011 but lost momentum in recent years until the middle of 2017, when significant numbers of actors, attracted by rising cryptocurrency prices, discovered Coinhive, a JavaScript Monero miner. Coinhive was originally developed as a legitimate cryptocurrency miner, which website operators can embed into their websites as an alternative revenue-generating method, for example to replace banner ads that can be obstructed by ad-blockers. However, this method was quickly abused and exploited.

For attackers, the advantage of malicious webminers is that the software does not require downloading by victims, but instead starts automatically. Some web operators do not explicitly ask for users’ consent and execute the mining program to secretly siphon energy and processing power from unsuspecting users to mine cryptocurrency, especially with Windows systems and Chrome browsers. Other malicious actors install Coinhive on unsuspecting websites and channel cryptocurrency from the legitimate site’s traffic. Coinhive has been criticized for its use in such abusive situation and is currently quite successfully blocked by most antivirus software.

Aside from webmining, malicious actors have evolved more sophisticated and lucrative cryptomining malware attacks. They use all available exploits to expand their cryptominer spreading botnets and make them more persistent, able in some cases even to recover after sinkhole operations. Unpatched servers and mobile devices are the most common targets.

Perhaps the most prominent cryptomining botnet is the Smominru botnet, which uses EternalBlue, an NSA-linked exploit leaked by the Russia-linked Shadow Brokers, to spread Monero mining malware. At least 25 hosts conducted attacks via EternalBlue (CVE-2017-0144 SMB) to infect new nodes and expand the botnet.

Smominru includes more than 526,000 infected Windows hosts, most of which are servers. Servers are an appealing target for cryptocurrency miners because of their processing capacity; unlike a personal computer, which is regularly turned off and is therefore prevented from mining, servers are always on, providing a continuous, lucrative stream of Monero. Smominru’s bots are distributed worldwide, but the majority of affected machines are reportedly located in Russia, India, and Taiwan.1 To date, Smominru has reportedly generated about two million euros for its attackers.

Furthermore, as botnets for the most part do not steal anything beyond computing power, they often remain undetected for long periods, and the victims could theoretically remain part of the botnet for as long as the attacker chooses. Those activities can finally infect systems or servers and bring down corporate networks.

At the same time, instances of insiders using company resources are on the rise. This is often as simple as an employee opening a browser running a miner in the background on a company computer while at work, but it can also extend to installing miners on company assets or installing mining equipment at work to make the company bear the electricity costs.

These operations cost organizations in energy costs and lost capacity. They also expose the organization to the risks that installing outside software can bring: possible infections, vulnerabilities, and unexpected impacts on other operations. Concerningly, miners attract employees who would never ream of installing more aggressive malware, but who view miners as an acceptable transgression, and thereby incur costs and expose their employers to further infections and additional risks.

Conclusion & Recommendations

Cryptominers’ ability to remain undetected leaves many users unaware that a malicious miner is installed on their system, with no symptoms other than slower performance. This increases the time a system is infected, generating longer-term revenue for a threat actor.

Cryptocurrency miners seem to be interested in victim’s computational power only, and may be viewed as some as a relatively low risk. However, the resource costs of mining can be high, and attacks can expose victims to further infections.

Recent observations show that criminal actors are transferring their malicious operations from “traditional” activities like ransomware to cryptocurrency mining. Therefore, it is highly possible that miner botnet infections will become more common and continue to grow in size. Miner bot-herders may be content with this, but once they control a computer, nothing stops them from committing further crimes, such as stealing data or installing malicious payloads.

Enterprises should explicitly look for indications that miners may be operating on company systems as well as include the cryptocurrency mining problem in network defense plans and monitor the developments in their IT infrastructure. These actions might include:

  • Monitor outbound connections to possible mining pools.
  • Monitor and analyze processes with high and constant consumption.
  • If possible, monitor and analyze power consumption for atypically high consumption. This can mean reduced performance, an increase in CPU usage, or atypically high temperatures.
  • A variety of AV programs alert the presence of cryptocurrency mining scripts hosted on websites and give users the option of blocking the activity.
  • Blocking (Java) Script-based applications from running on browsers can prevent Coinhive and its imitator miners from using CPU resources.
Who we are

The Threat Intelligence -Team helps clients to reduce the threat posed by adversaries for their networks by leveraging the power of collaborative defense in combination with comprehensive analytics and contextualized threat intelligence. DCSO delivers actionable intelligence on all levels – from atomic Indicators of Compromise (IoC) to insights into the political, economic and cultural context of adversaries.

1 Kafeine. “Smominru Monero Mining Botnet Making Millions for Operators”, Jan. 31, 2018. Proofpoint.