The first decentralized cryptocurrency, bitcoin, sparked the creation of other cryptocurrencies. As cryptocurrencies became popular, threat actors have learned to adapt. From wire transfers, to gift cards, and prepaid vouchers, ransomware payment transitioned to cryptocurrencies. However, there's a new menace that have been gaining popularity since 2017 - cryptocurrency malware. Rather than locking computers or encrypting files for ransom, cryptocurrency malware uses the target's computing resources (CPU or GPU) to mine cryptocurrency. Learn more about cryptocurrency malware and how to defend against it.
To understand what cryptocurrency is, let’s consider the following statement from Satoshi Nakamoto’s bitcoin whitepaper:
“A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution.”
- Peer to peer - each node acts as a server for the information stored upon it removing the need for a central server
- electronic - no physical money involved
- without going through a financial institution - no trusted third-parties like banks are involved
Based on this, we can infer that cryptocurrency is a digital currency which is decentralized and non-trust based. There are other cryptocurrencies aside from bitcoin called altcoins (alternative coins). Some of the most common are Ethereum (ETH), Litecoin (LTC), Zcash (ZEC), Dash (DASH), Ripple (XRP), Monero (XMR), Bitcoin Cash (BCH), Neo (NEO), Cardano (ADA), and EOS (EOS).
Cryptocurrency can be obtained through legitimate means such as:
- Solo mining – A miner performs the mining operations alone and gets the entire reward for mining a block.
- Pool mining – Miners join together in a mining pool and the reward for mining a block is distributed depending on the method.
On the other hand, cryptocurrency can also be obtained through illegitimate means such as:
- Cryptojacking – Unauthorized use of someone else’s computing resources to mine cryptocurrency
This may involve different types of coinminers such as web, local, and fileless which can also be a part of a mining pool. The motivation for cryptojacking is financial which is similar to ransomware.
Malware authors have been very creative in terms of delivering cryptocurrency malware. Here are some of the known infection channels:
- Tech support scam
EITest Campaign Uses Tech Support Scams to Deliver Coinhive’s Monero Miner
- Facebook Messenger
Digmine Cryptocurrency Miner Spreading via Facebook Messenger
- Chrome Web Store
Malicious Chrome Extensions Found in Chrome Web Store, Form Droidclub Botnet
- Google Play Store
Coin Miner Mobile Malware Returns, Hits Google Play
Monero-Mining HiddenMiner Android Malware Can Potentially Cause Device Failure
- Google DoubleClick Advertisements
Malvertising Campaign Abuses Google’s DoubleClick to Deliver Cryptocurrency Miners
- AOL Advertising Platform
Cryptocurrency Web Miner Script Injected into AOL Advertising Platform
- Pop-up Ads
Pop-up Ads and Over a Hundred Sites are Helping Distribute Botnets, Cryptocurrency Miners and Ransomware
- Google DoubleClick Advertisements
- PHP Weathermap
- Windows VBScript Engine
- Adobe Flash Player/Internet Explorer
- Oracle WebLogic
- Microtik Routers
With Trend Micro Intrusion Prevention, you can easily virtually patch and protect vulnerable systems from known, unknown, and zero-day vulnerabilities.
- Unsecure configuration
Tesla and Jenkins Servers Fall Victim to Cryptominers
Cryptocurrency mining requires Internet to communicate with the mining pool or the cryptocurrency network. As such, it should generate an identifiable network traffic that could signify a possible mining activity.
However, attackers can make use of secure communication channels such as SSH Tunnel or TOR network. In this case, further investigation is required to identify whether the network activity is normal or not. A server communicating with a TOR network should already be a subject for investigation.
Deploy solutions that are capable of detecting anomalies in the network. Trend Micro Deep Discovery Inspector provides 360 degrees of visibility by monitoring all network ports and over 105 different protocols.
Mining requires computing resources – CPU or GPU. This can make the computer run slower and consume more electricity. Performance monitoring is perhaps the easiest way to identify whether a computer is being cryptojacked. If a server normally running on 50% CPU suddenly jumps to 90% or above, it is safe to assume that it’s infected with a coinminer.
However, doing this in real-time over a large network is what makes it difficult. Additional software such as Nagios maybe required.
Coinminers come in different forms (web, local, fileless) and arrive in different ways. They can be unknowingly installed by the user or downloaded by other malware too. Like ransomware, there is no silver-bullet in protecting against coinminers. A combination of layered security and safe practices is a must. Learn how to prevent your computer from getting infected with coinminers: