To understand what cryptocurrency is, let’s consider the following statement from Satoshi Nakamoto’s bitcoin whitepaper:

“A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution.”

Where:

• Peer to peer - each node acts as a server for the information stored upon it removing the need for a central server
• electronic - no physical money involved
• without going through a financial institution - no trusted third-parties like banks are involved

Based on this, we can infer that cryptocurrency is a digital currency which is decentralized and non-trust based. There are other cryptocurrencies aside from bitcoin called altcoins (alternative coins). Some of the most common are Ethereum (ETH), Litecoin (LTC), Zcash (ZEC), Dash (DASH), Ripple (XRP), Monero (XMR), Bitcoin Cash (BCH), Neo (NEO), Cardano (ADA), and EOS (EOS).

Mining is the process of verifying transactions and adding them to the blockchain. Blockchain is like a public ledger that contains all the previous transactions. Cryptocurrency is given to miners as a reward for validating the previous transactions.

Cryptocurrency can be obtained through legitimate means such as:

• Solo mining – A miner performs the mining operations alone and gets the entire reward for mining a block.
• Pool mining – Miners join together in a mining pool and the reward for mining a block is distributed depending on the method.

On the other hand, cryptocurrency can also be obtained through illegitimate means such as:

• Cryptojacking – Unauthorized use of someone else’s computing resources to mine cryptocurrency

This may involve different types of coinminers such as web, local, and fileless which can also be a part of a mining pool. The motivation for cryptojacking is financial which is similar to ransomware.

Malware authors have been very creative in terms of delivering cryptocurrency malware. Here are some of the known infection channels:

• Tech support scam
  EITest Campaign Uses Tech Support Scams to Deliver Coinhive’s Monero Miner 
• Facebook Messenger
  Digmine Cryptocurrency Miner Spreading via Facebook Messenger
• Chrome Web Store
  Malicious Chrome Extensions Found in Chrome Web Store, Form Droidclub Botnet
• Google Play Store
  Coin Miner Mobile Malware Returns, Hits Google Play
  Monero-Mining HiddenMiner Android Malware Can Potentially Cause Device Failure
• Malvertising
  • Google DoubleClick Advertisements
    Malvertising Campaign Abuses Google’s DoubleClick to Deliver Cryptocurrency Miners
  • AOL Advertising Platform
    Cryptocurrency Web Miner Script Injected into AOL Advertising Platform
  • Pop-up Ads
    Pop-up Ads and Over a Hundred Sites are Helping Distribute Botnets, Cryptocurrency Miners and Ransomware
• Vulnerability
  • SMBv1

    Cryptocurrency Miner Uses WMI and EternalBlue To Spread Filelessly

  • ApacheCouchDB

    Vulnerabilities in Apache CouchDB Open the Door to Monero Miners

  • PHP Weathermap

    Cryptocurrency Miner Distributed via PHP Weathermap Vulnerability, Targets Linux Servers

  • Windows VBScript Engine

    Rig Exploit Kit Now Using CVE-2018-8174 to Deliver Monero Miner

  • Drupal

    Drupal Vulnerability (CVE-2018-7602) Exploited to Deliver Monero-Mining Malware

  • Adobe Flash Player/Internet Explorer

    New Underminer Exploit Kit Delivers Bootkit and Cryptocurrency-mining Malware with Encrypted TCP Tunnel

  • Oracle WebLogic

    Malicious Traffic in Port 7001 Surges as Cryptominers Target Patched 2017 Oracle WebLogic Vulnerability

    Oracle Server Vulnerability Exploited to Deliver Double Monero Miner Payloads

  • Microtik Routers

    Over 200,000 MikroTik Routers Compromised in Cryptojacking Campaign

  With Trend Micro Intrusion Prevention, you can easily virtually patch and protect vulnerable systems from known, unknown, and zero-day vulnerabilities.

• Unsecure configuration
  Tesla and Jenkins Servers Fall Victim to Cryptominers

Network Monitoring

Cryptocurrency mining requires Internet to communicate with the mining pool or the cryptocurrency network. As such, it should generate an identifiable network traffic that could signify a possible mining activity.
However, attackers can make use of secure communication channels such as SSH Tunnel or TOR network. In this case, further investigation is required to identify whether the network activity is normal or not. A server communicating with a TOR network should already be a subject for investigation.

Deploy solutions that are capable of detecting anomalies in the network. Trend Micro Deep Discovery Inspector provides 360 degrees of visibility by monitoring all network ports and over 105 different protocols.

Performance Monitoring

Mining requires computing resources – CPU or GPU. This can make the computer run slower and consume more electricity. Performance monitoring is perhaps the easiest way to identify whether a computer is being cryptojacked. If a server normally running on 50% CPU suddenly jumps to 90% or above, it is safe to assume that it’s infected with a coinminer.

However, doing this in real-time over a large network is what makes it difficult. Additional software such as Nagios maybe required.

Malicious coinminers should generally be detected and cleaned by your endpoint security. If you suspect that your computer is infected but nothing is being detected, collect suspicious files and system information and submit the logs to Trend Micro Technical Support for analysis.

Coinminers come in different forms (web, local, fileless) and arrive in different ways. They can be unknowingly installed by the user or downloaded by other malware too. Like ransomware, there is no silver-bullet in protecting against coinminers. A combination of layered security and safe practices is a must. Learn how to prevent your computer from getting infected with coinminers:

Don’t be a Coinmining Zombie – Part 2: How Do You Protect Yourself from being Cryptojacked?