grandeduc - Fotolia

Cryptomining is top attack type, says Malwarebytes

Malicious cryptomining has been the top cyber criminal activity detected since September 2017, a report reveals

As the value of cryptocurrencies has risen, illicit cryptocurrency mining has become mainstream – and may have surpassed all other cyber crime, according to security firm Malwarebytes.

Cryptocurrency mining is such a lucrative business that it is attracting malware creators and distributors around the world, warns the security firm’s latest report.

The trend can be traced back to the introduction of the legitimate Coinhive JavaScript miner in September 2017 that enabled Monero cryptocurrency mining directly within the browser.

Almost immediately, this was exploited by a cyber crime campaign that was designed for Android and drew millions of users to pages that immediately started to mine for Monero under the pretence of recouping server costs.

“Even though mobile devices are not as powerful as desktops, let alone servers, this event showed that no one was really immune to drive-by mining,” the report said, describing these attacks as an automated, silent and platform-agnostic technique that forces visitors to a website to mine for cryptocurrency.  

Malvertising, the report said, was a major factor in spreading coin miners to a large audience, as was seen with the YouTube case that involved malicious adverts via Google-owned internet ad service DoubleClick.

“Another interesting vector, which security people have warned about for years, is the use of third-party scripts that have become ubiquitous,” the report said, alluding to a Texthelp plugin called BrowseAloud that was compromised and injected with a Coinhive script, leading to hundreds of UK government websites unwittingly participating in malicious cryptomining activity.

To fend off criticism, Coinhive introduced a new API (application programming interface) called AuthedMine that explicitly requires user input for any mining activity to be allowed.

The idea was that considerate site owners would use this more “ethical” API instead, the report said, so that their visitors can knowingly opt in or out before engaging in cryptomining. This was also an argument that Coinhive put forward to defend its stance against ad blockers and antivirus products.

However, according to Malwarebytes’ own telemetry, the opt-in version of the API was barely used (40,000 times a day) in comparison with the silent one (three million times a day) between 10 January and 6 February 2018.

Although the WannaCry ransomware was highly publicised for taking advantage of the leaked EternalBlue and DoublePulsar exploits, at least two different groups used those same vulnerabilities to infect hundreds of thousands of Windows servers with a cryptocurrency miner, ultimately generating millions of dollars in revenue, the report said.

Other vulnerabilities, such as a flaw with Oracle’s WebLogic Server (CVE-2017-10271), were also used to deliver miners onto servers from universities and research institutions. Although Oracle released a patch in October 2017, many did not apply it in a timely fashion, and a proof-of-concept attack facilitated widespread abuse.

Servers are the favourite target for cryptocurrency mining attacks – also known as cryptojacking – because servers offer the most computing power to solve the mathematical operations required by cryptomining.

As cyber criminals have turned to cryptocurrency mining to generate revenue, malware authors have responded with existing malware families such as Trickbot, distributed via malicious spam attachments, adding a coin miner module.

The Trickbot authors also expanded their banking Trojan to steal credentials from users of the Coinbase cryptocurrency exchange  as they logged into their electronic wallet. “The modular nature of their malware is certainly making it easier for them to experiment with new schemes to make money,” the report said.

Distributing miners

Several exploit kits, RIG EK in particular, have been distributing miners, usually via the intermediary of the SmokeLoader malware. In fact, the report said cryptominers are one of the most commonly served payloads in drive-by download attacks.

Mobile users are not immune to cryptomining either, as Trojanised apps laced with mining code are also commonplace, especially for the Android platform. As with Windows malware, malicious app installers for Android tend to have modules for specific functionalities, such as SMS spam and of course miners, the report said.

Legitimate cryptocurrency mining pools that share resources such as Minergate are often used by criminal Android miners, and the same is true for Mac cryptominers. “Advice about sticking to official websites to download applications applies, but is not always enough, especially when trusted applications get hacked,” the report said.

Malwarebytes warned that cryptomining malware provides a good use case for exploiting the size and power of a botnet in order to perform CPU-intensive mining tasks without having to bear the costs incurred in the process. In some aspects, the report said, drive-by mining also applies the same concept, except that the botnet of web users it creates is mostly temporary.

Although malicious cryptomining appears to be far less dangerous to the user than ransomware, its effects should not be underestimated, the report said.

Unmanaged cryptocurrency miners could seriously disrupt business or infrastructure-critical processes by overloading systems to the point where they become unresponsive and shut down, the report said, noting that under the disguise of a financially motivated attack, this could be the perfect alibi for advanced threat actors.

Read more on Hackers and cybercrime prevention

Data Center
Data Management