Introduction
Cyber criminals tend to favor cryptocurrencies because they provide
a certain level of anonymity and can be easily monetized. This interest
has increased in recent years, stemming far beyond the desire to
simply use cryptocurrencies as a method of payment for illicit tools
and services. Many actors have also attempted to capitalize on the
growing popularity of cryptocurrencies, and subsequent rising price,
by conducting various operations aimed at them. These operations
include malicious cryptocurrency mining (also referred to as
cryptojacking), the collection of cryptocurrency wallet credentials,
extortion activity, and the targeting of cryptocurrency exchanges.
This blog post discusses the various trends that we have been
observing related to cryptojacking activity, including cryptojacking
modules being added to popular malware families, an increase in
drive-by cryptomining attacks, the use of mobile apps containing
cryptojacking code, cryptojacking as a threat to critical
infrastructure, and observed distribution mechanisms.
What Is Mining?
As transactions occur on a blockchain, those transactions must be
validated and propagated across the network. As computers connected to
the blockchain network (aka nodes) validate and propagate the
transactions across the network, the miners include those transactions
into "blocks" so that they can be added onto the chain. Each
block is cryptographically hashed, and must include the hash of the
previous block, thus forming the "chain" in blockchain. In
order for miners to compute the complex hashing of each valid block,
they must use a machine's computational resources. The more blocks
that are mined, the more resource-intensive solving the hash becomes.
To overcome this, and accelerate the mining process, many miners will
join collections of computers called "pools" that work
together to calculate the block hashes. The more computational
resources a pool harnesses, the greater the pool's chance of mining a
new block. When a new block is mined, the pool's participants are
rewarded with coins. Figure 1 illustrates the roles miners play in the
blockchain network.
Figure 1: The role of miners
Underground Interest
FireEye iSIGHT Intelligence has identified eCrime actor interest in
cryptocurrency mining-related topics dating back to at least 2009
within underground communities. Keywords that yielded significant
volumes include miner, cryptonight, stratum, xmrig, and cpuminer.
While searches for certain keywords fail to provide context, the
frequency of these cryptocurrency mining-related keywords shows a
sharp increase in conversations beginning in 2017 (Figure 2). It is
probable that at least a subset of actors prefer cryptojacking over
other types of financially motivated operations due to the perception
that it does not attract as much attention from law enforcement.
Figure 2: Underground keyword mentions
Monero Is King
The majority of recent cryptojacking operations have overwhelmingly
focused on mining Monero, an open-source cryptocurrency based on the
CryptoNote protocol, as a fork of Bytecoin. Unlike many
cryptocurrencies, Monero uses a unique technology called "ring
signatures," which shuffles users' public keys to eliminate the
possibility of identifying a particular user, ensuring it is
untraceable. Monero also employs a protocol that generates multiple,
unique single-use addresses that can only be associated with the
payment recipient and are unfeasible to be revealed through blockchain
analysis, ensuring that Monero transactions are unable to be linked
while also being cryptographically secure.
The Monero blockchain also uses what's called a
"memory-hard" hashing algorithm called CryptoNight and,
unlike Bitcoin's SHA-256 algorithm, it deters application-specific
integrated circuit (ASIC) chip mining. This feature is critical to the
Monero developers and allows for CPU mining to remain feasible and
profitable. Due to these inherent privacy-focused features and
CPU-mining profitability, Monero has become an attractive option for
cyber criminals.
Underground Advertisements for Miners
Because most miner utilities are small, open-sourced tools, many
criminals rely on crypters. Crypters are tools that employ encryption,
obfuscation, and code manipulation techniques to keep their tools and
malware fully undetectable (FUD). Table 1 highlights some of the most
commonly repurposed Monero miner utilities.
XMR Mining Utilities |
XMR-STACK |
MINERGATE |
XMRMINER |
CCMINER |
XMRIG |
CLAYMORE |
SGMINER |
CAST XMR |
LUKMINER |
CPUMINER-MULTI |
Table 1: Commonly used Monero miner utilities
The following are sample advertisements for miner utilities commonly
observed in underground forums and markets. Advertisements typically
range from stand-alone miner utilities to those bundled with other
functions, such as credential harvesters, remote administration tool
(RAT) behavior, USB spreaders, and distributed denial-of-service
(DDoS) capabilities.
Sample Advertisement #1 (Smart Miner + Builder)
In early April 2018, actor "Mon£y" was observed by FireEye
iSIGHT Intelligence selling a Monero miner for $80 USD – payable via
Bitcoin, Bitcoin Cash, Ether, Litecoin, or Monero – that included
unlimited builds, free automatic updates, and 24/7 support. The tool,
dubbed Monero Madness (Figure 3), featured a setting called Madness
Mode that configures the miner to only run when the infected machine
is idle for at least 60 seconds. This allows the miner to work at its
full potential without running the risk of being identified by the
user. According to the actor, Monero Madness also provides the
following features:
- Unlimited builds
- Builder GUI (Figure 4)
- Written in AutoIT (no
dependencies)
- FUD
- Safer error handling
- Uses
most recent XMRig code
- Customizable pool/port
- Packed with UPX
- Works on all Windows OS (32- and
64-bit)
- Madness Mode option
Figure 3: Monero Madness
Figure 4: Monero Madness builder
Sample Advertisement #2 (Miner + Telegram Bot Builder)
In March 2018, FireEye iSIGHT Intelligence observed actor
"kent9876" advertising a Monero cryptocurrency miner called
Goldig Miner (Figure 5). The actor requested payment of $23 USD for
either CPU or GPU build or $50 USD for both. Payments could be made
with Bitcoin, Ether, Litecoin, Dash, or PayPal. The miner ostensibly
offers the following features:
- Written in C/C++
- Build size is small (about 100–150 kB)
- Hides miner
process from popular task managers
- Can run without
Administrator privileges (user-mode)
- Auto-update
ability
- All data encoded with 256-bit key
- Access to
Telegram bot-builder
- Lifetime support (24/7) via
Telegram
Figure 5: Goldig Miner advertisement
Sample Advertisement #3 (Miner + Credential Stealer)
In March 2018, FireEye iSIGHT Intelligence observed actor
"TH3FR3D" offering a tool dubbed Felix (Figure 6) that
combines a cryptocurrency miner and credential stealer. The actor
requested payment of $50 USD payable via Bitcoin or Ether. According
to the advertisement, the Felix tool boasted the following features:
- Written in C# (Version
1.0.1.0)
- Browser stealer for all major browsers (cookies,
saved passwords, auto-fill)
- Monero miner (uses
minergate.com pool by default, but can be configured)
- Filezilla stealer
- Desktop file grabber (.txt and
more)
- Can download and execute files
- Update
ability
- USB spreader functionality
- PHP web
panel
Figure 6: Felix HTTP
Sample Advertisement #4 (Miner + RAT)
In January 2018, FireEye iSIGHT Intelligence observed actor
"ups" selling a miner for any Cryptonight-based
cryptocurrency (e.g., Monero and Dashcoin) for either Linux or Windows
operating systems. In addition to being a miner, the tool allegedly
provides local privilege escalation through the CVE-2016-0099
exploit, can download and execute remote files, and receive commands.
Buyers could purchase the Windows or Linux tool for €200 EUR, or €325
EUR for both the Linux and Windows builds, payable via Monero,
bitcoin, ether, or dash. According to the actor, the tool offered the following:
Windows Build Specifics
- Written in C++ (no
dependencies)
- Miner component based on XMRig
- Easy
cryptor and VPS hosting options
- Web panel (Figure 7)
- Uses TLS for secured communication
- Download and
execute
- Auto-update ability
- Cleanup routine
- Receive remote commands
- Perform privilege
escalation
- Features "game mode" (mining stops if
user plays game)
- Proxy feature (based on XMRig)
- Support (for €20/month)
- Kills other miners from
list
- Hidden from TaskManager
- Configurable pool,
coin, and wallet (via panel)
- Can mine the following
Cryptonight-based coins:
- Monero
- Bytecoin
- Electroneum
- DigitalNote
- Karbowanec
- Sumokoin
- Fantomcoin
- Dinastycoin
- Dashcoin
- LeviarCoin
- BipCoin
- QuazarCoin
- Bitcedi
Linux Build Specifics
- Issues running on Linux
servers (higher performance on desktop OS)
- Compatible with
AMD64 processors on Ubuntu, Debian, Mint (support for CentOS
later)
Figure 7: Miner bot web panel
Sample Advertisement #5 (Miner + USB Spreader + DDoS Tool)
In August 2017, actor "MeatyBanana" was observed by
FireEye iSIGHT Intelligence selling a Monero miner utility that
included the ability to download and execute files and perform DDoS
attacks. The actor offered the software for $30 USD, payable via
Bitcoin. Ostensibly, the tool works with CPUs only and offers the
following features:
- Configurable miner pool
and port (default to minergate)
- Compatible with both 64-
and 86-bit Windows OS
- Hides from the following popular task
managers:
- Windows Task Manager
- Process Killer
- KillProcess
- System Explorer
- Process
Explorer
- AnVir
- Process Hacker
- Masked as a
system driver
- Does not require administrator
privileges
- No dependencies
- Registry persistence
mechanism
- Ability to perform "tasks" (download and
execute files, navigate to a site, and perform DDoS)
- USB
spreader
- Support after purchase
The Cost of Cryptojacking
The presence of mining software on a network can generate costs on
three fronts as the miner surreptitiously allocates resources:
- Degradation in system
performance
- Increased cost in electricity
- Potential
exposure of security holes
Cryptojacking targets computer processing power, which can lead to
high CPU load and degraded performance. In extreme cases, CPU overload
may even cause the operating system to crash. Infected machines may
also attempt to infect neighboring machines and therefore generate
large amounts of traffic that can overload victims' computer networks.
In the case of operational technology (OT) networks, the
consequences could be severe. Supervisory control and data
acquisition/industrial control systems (SCADA/ICS) environments
predominately rely on decades-old hardware and low-bandwidth networks,
therefore even a slight increase in CPU load or the network could
leave industrial infrastructures unresponsive, impeding operators from
interacting with the controlled process in real-time.
The electricity cost, measured in kilowatt hour (kWh), is dependent
upon several factors: how often the malicious miner software is
configured to run, how many threads it's configured to use while
running, and the number of machines mining on the victim's network.
The cost per kWh is also highly variable and depends on geolocation.
For example, security researchers who ran Coinhive on a machine for 24
hours found that the electrical consumption was 1.212kWh. They
estimated that this equated to electrical costs per month of $10.50
USD in the United States, $5.45 USD in Singapore, and $12.30 USD in Germany.
Cryptojacking can also highlight often overlooked security holes in
a company's network. Organizations infected with cryptomining malware
are also likely vulnerable to more severe exploits and attacks,
ranging from ransomware to ICS-specific malware such as TRITON.
Cryptocurrency Miner Distribution Techniques
In order to maximize profits, cyber criminals widely disseminate
their miners using various techniques such as incorporating
cryptojacking modules into existing botnets, drive-by cryptomining
attacks, the use of mobile apps containing cryptojacking code, and
distributing cryptojacking utilities via spam and self-propagating
utilities. Threat actors can use cryptojacking to affect numerous
devices and secretly siphon their computing power. Some of the most
commonly observed devices targeted by these cryptojacking schemes are:
- User endpoint
machines
- Enterprise servers
- Websites
- Mobile
devices
- Industrial control systems
Cryptojacking in the Cloud
Private sector companies and governments alike are increasingly moving
their data and applications to the cloud, and cyber threat
groups have been moving with them. Recently, there have been various
reports of actors conducting cryptocurrency mining operations
specifically targeting cloud infrastructure. Cloud infrastructure is
increasingly a target for cryptojacking operations because it offers
actors an attack surface with large amounts of processing power in an
environment where CPU usage and electricity costs are already expected
to be high, thus allowing their operations to potentially go
unnoticed. We assess with high confidence that threat actors will
continue to target enterprise cloud networks in efforts to harness
their collective computational resources for the foreseeable future.
The following are some real-world examples of cryptojacking in the cloud:
- In February 2018, FireEye
researchers published a blog detailing various techniques actors
used in order to deliver malicious miner payloads (specifically to
vulnerable Oracle servers) by abusing CVE-2017-10271. Refer to our
blog post for more detailed information regarding the post-exploitation
and pre-mining dissemination techniques used in those
campaigns.
- In March 2018, Bleeping
Computer reported on the trend of cryptocurrency mining
campaigns moving to the cloud via vulnerable Docker and Kubernetes
applications, which are two software tools used by developers to
help scale a company's cloud infrastructure. In most cases,
successful attacks occur due to misconfigured applications and/or
weak security controls and passwords.
- In February 2018, Bleeping
Computer also reported on hackers who breached Tesla's cloud
servers to mine Monero. Attackers identified a Kubernetes console
that was not password protected, allowing them to discover login
credentials for the broader Tesla Amazon Web services (AWS) S3 cloud
environment. Once the attackers gained access to the AWS environment
via the harvested credentials, they effectively launched their
cryptojacking operations.
- Reports of cryptojacking activity
due to misconfigured AWS S3 cloud storage buckets have also been
observed, as was the case in the LA
Times online compromise in February 2018. The presence of
vulnerable AWS S3 buckets allows anyone on the internet to access
and change hosted content, including the ability to inject mining
scripts or other malicious software.
Incorporation of Cryptojacking into Existing Botnets
FireEye iSIGHT Intelligence has observed multiple prominent botnets
such as Dridex and Trickbot incorporate cryptocurrency mining into
their existing operations. Many of these families are modular in
nature and have the ability to download and execute remote files, thus
allowing the operators to easily turn their infections into
cryptojacking bots. While these operations have traditionally been
aimed at credential theft (particularly of banking credentials),
adding mining modules or downloading secondary mining payloads
provides the operators another avenue to generate additional revenue
with little effort. This is especially true in cases where the victims
were deemed unprofitable or have already been exploited in the
original scheme.
The following are some real-world examples of cryptojacking being
incorporated into existing botnets:
- In early February 2018,
FireEye iSIGHT Intelligence observed Dridex botnet ID 2040 download
a Monero cryptocurrency miner based on the open-source XMRig
miner.
- On Feb. 12, 2018, FireEye iSIGHT Intelligence observed
the banking malware IcedID injecting Monero-mining JavaScript into
webpages for specific, targeted URLs. The IcedID injects launched an
anonymous miner using the mining code from Coinhive's
AuthedMine.
- In late 2017, Bleeping
Computer reported that security researchers with Radware
observed the hacking group CodeFork leveraging the popular
downloader Andromeda (aka Gamarue) to distribute a miner module to
their existing botnets.
- In late 2017, FireEye researchers
observed Trickbot operators deploy a new module named
"testWormDLL" that is a statically compiled copy of the
popular XMRig Monero miner.
- On Aug. 29, 2017, Security
Week reported on a variant of the popular Neutrino banking
Trojan, including a Monero miner module. According to their
reporting, the new variant no longer aims at stealing bank card
data, but instead is limited to downloading and executing modules
from a remote server.
Drive-By Cryptojacking
In-Browser
FireEye iSIGHT Intelligence has examined various customer reports of
browser-based cryptocurrency mining. Browser-based mining scripts have
been observed on compromised websites, third-party advertising
platforms, and have been legitimately placed on websites by
publishers. While coin mining scripts can be embedded directly into a
webpage's source code, they are frequently loaded from third-party
websites. Identifying and detecting websites that have embedded coin
mining code can be difficult since not all coin mining scripts are
authorized by website publishers, such as in the case of a compromised
website. Further, in cases where coin mining scripts were authorized
by a website owner, they are not always clearly communicated to site
visitors. At the time of reporting, the most popular script being
deployed in the wild is Coinhive. Coinhive is an open-source
JavaScript library that, when loaded on a vulnerable website, can mine
Monero using the site visitor's CPU resources, unbeknownst to the
user, as they browse the site.
The following are some real-world examples of Coinhive being
deployed in the wild:
- In September 2017, Bleeping
Computer reported that the authors of SafeBrowse, a Chrome
extension with more than 140,000 users, had embedded the Coinhive
script in the extension's code that allowed for the mining of Monero
using users' computers and without getting their consent.
- During mid-September 2017, users
on Reddit began complaining about increased CPU usage when
they navigated to a popular torrent site, The Pirate Bay (TPB). The
spike in CPU usage was a result of Coinhive's script being embedded
within the site's footer. According to TPB operators, it was
implemented as a test to generate passive revenue for the site
(Figure 8).
- In December 2017, researchers with Sucuri
reported on the presence of the Coinhive script being hosted on
GitHub.io, which allows users to publish web pages directly from
GitHub repositories.
- Other reporting disclosed the Coinhive
script being embedded on the Showtime
domain as well as on the LA
Times website, both surreptitiously mining Monero.
- A
majority of in-browser cryptojacking activity is transitory in
nature and will last only as long as the user’s web browser is open.
However, researchers
with Malwarebytes Labs uncovered a technique that allows for
continued mining activity even after the browser window is closed.
The technique leverages a pop-under window surreptitiously hidden
under the taskbar. As researchers pointed out, closing the browser
window may not be enough to interrupt the activity, and that more
advanced actions like running the Task Manager may be required.
Figure 8: Statement from TPB operators on
Coinhive script
Malvertising and Exploit Kits
Malvertisements – malicious ads on legitimate websites – commonly
redirect visitors of a site to an exploit kit landing page. These
landing pages are designed to scan a system for vulnerabilities,
exploit those vulnerabilities, and download and execute malicious code
onto the system. Notably, the malicious advertisements can be placed
on legitimate sites and visitors can become infected with little to no
user interaction. This distribution tactic is commonly used by threat
actors to widely distribute malware and has been employed in various
cryptocurrency mining operations.
The following are some real-world examples of this activity:
- In early 2018, researchers
with Trend Micro reported that a modified miner script was
being disseminated across YouTube via Google's DoubleClick ad
delivery platform. The script was configured to generate a random
number variable between 1 and 100, and when the variable was above
10 it would launch the Coinhive script coinhive.min.js, which
harnessed 80 percent of the CPU power to mine Monero. When the
variable was below 10 it launched a modified Coinhive script that
was also configured to harness 80 percent CPU power to mine Monero.
This custom miner connected to the mining pool
wss[:]//ws[.]l33tsite[.]info:8443, which was likely done to avoid
Coinhive's fees.
- In April 2018, researchers with Trend
Micro also discovered a JavaScript code based on Coinhive
injected into an AOL ad platform. The miner used the following
private mining pools: wss[:]//wsX[.]www.datasecu[.]download/proxy
and wss[:]//www[.]jqcdn[.]download:8893/proxy. Examination of other
sites compromised by this campaign showed that in at least some
cases the operators were hosting malicious content on unsecured AWS
S3 buckets.
- Since July 16, 2017, FireEye
has observed the Neptune Exploit Kit redirect to ads for
hiking clubs and MP3 converter domains. Payloads associated with the
latter include Monero CPU miners that are surreptitiously installed
on victims' computers.
- In January 2018, Check
Point researchers discovered a malvertising campaign leading
to the Rig Exploit Kit, which served the XMRig Monero miner utility
to unsuspecting victims.
Mobile Cryptojacking
In addition to targeting enterprise servers and user machines,
threat actors have also targeted mobile devices for cryptojacking
operations. While this technique is less common, likely due to the
limited processing power afforded by mobile devices, cryptojacking on
mobile devices remains a threat as sustained power consumption can
damage the device and dramatically shorten the battery life. Threat
actors have been observed targeting mobile devices by hosting
malicious cryptojacking apps on popular app stores and through
drive-by malvertising campaigns that identify users of mobile browsers.
The following are some real-world examples of mobile devices being
used for cryptojacking:
- During 2014, FireEye
iSIGHT Intelligence reported on multiple Android malware apps
capable of mining cryptocurrency:
- In March 2014, Android
malware named "CoinKrypt" was discovered, which mined
Litecoin, Dogecoin, and CasinoCoin currencies.
- In March
2014, another form of Android malware –
"Android.Trojan.MuchSad.A" or
"ANDROIDOS_KAGECOIN.HBT" – was observed mining
Bitcoin, Litecoin, and Dogecoin currencies. The malware was
disguised as copies of popular applications, including
"Football Manager Handheld" and "TuneIn
Radio." Variants of this malware have reportedly been
downloaded by millions of Google Play users.
- In April
2014, Android malware named "BadLepricon," which mined
Bitcoin, was identified. The malware was reportedly being
bundled into wallpaper applications hosted on the Google Play
store, at least several of which received 100 to 500
installations before being removed.
- In October 2014, a
type of mobile malware called "Android Slave" was
observed in China; the malware was reportedly capable of mining
multiple virtual currencies.
- In December
2017, researchers
with Kaspersky Labs reported on a new multi-faceted Android
malware capable of a variety of actions including mining
cryptocurrencies and launching DDoS attacks. The resource load
created by the malware has reportedly been high enough that it can
cause the battery to bulge and physically destroy the device. The
malware, dubbed Loapi, is unique in the breadth of its potential
actions. It has a modular framework that includes modules for
malicious advertising, texting, web crawling, Monero mining, and
other activities. Loapi is thought to be the work of the same
developers behind the 2015 Android malware Podec, and is usually
disguised as an anti-virus app.
- In January 2018, SophosLabs
released a report detailing their discovery of 19 mobile apps
hosted on Google Play that contained embedded Coinhive-based
cryptojacking code, some of which were downloaded anywhere from
100,000 to 500,000 times.
- Between November 2017 and January
2018, researchers
with Malwarebytes Labs reported on a drive-by cryptojacking
campaign that affected millions of Android mobile browsers to mine
Monero.
Cryptojacking Spam Campaigns
FireEye iSIGHT Intelligence has observed several cryptocurrency
miners distributed via spam campaigns, which is a commonly used tactic
to indiscriminately distribute malware. We expect malicious actors
will continue to use this method to disseminate cryptojacking code as
for long as cryptocurrency mining remains profitable.
In late November 2017, FireEye researchers identified a spam
campaign delivering a malicious PDF attachment designed to appear as a
legitimate invoice from the largest port and container service in New
Zealand: Lyttelton Port of Chistchurch (Figure 9). Once opened, the
PDF would launch a PowerShell script that downloaded a Monero miner
from a remote host. The malicious miner connected to the pools
supportxmr.com and nanopool.org.
Figure 9: Sample lure attachment (PDF)
that downloads malicious cryptocurrency miner
Additionally, a massive cryptojacking spam campaign was discovered
by FireEye researchers during January 2018 that was designed to look
like legitimate financial services-related emails. The spam email
directed victims to an infection link that ultimately dropped a
malicious ZIP file onto the victim's machine. Contained within the ZIP
file was a cryptocurrency miner utility (MD5:
80b8a2d705d5b21718a6e6efe531d493) configured to mine Monero and
connect to the minergate.com pool. While each of the spam email lures
and associated ZIP filenames were different, the same cryptocurrency
miner sample was dropped across all observed instances (Table 2).
ZIP Filenames |
california_540_tax_form_2013_instructions.exe
state_bank_of_india_money_transfer_agency.exe
format_transfer_sms_banking_bni_ke_bca.exe
confirmation_receipt_letter_sample.exe
sbi_online_apply_2015_po.exe
estimated_tax_payment_coupon_irs.exe
how_to_add_a_non_us_bank_account_to_paypal.exe
western_union_money_transfer_from_uk_to_bangladesh.exe
can_i_transfer_money_from_bank_of_ireland_to_aib_online.exe
how_to_open_a_business_bank_account_with_bad_credit_history.exe
apply_for_sbi_credit_card_online.exe
list_of_lucky_winners_in_dda_housing_scheme_2014.exe
|
Table 2: Sampling of observed ZIP filenames
delivering cryptocurrency miner
Cryptojacking Worms
Following the WannaCry attacks, actors began to increasingly
incorporate self-propagating functionality within their malware. Some
of the observed self-spreading techniques have included copying to
removable drives, brute forcing SSH logins, and leveraging the leaked
NSA exploit EternalBlue.
Cryptocurrency mining operations significantly benefit from this
functionality since wider distribution of the malware multiplies the
amount of CPU resources available to them for mining. Consequently, we
expect that additional actors will continue to develop this capability.
The following are some real-world examples of cryptojacking worms:
- In May 2017, Proofpoint
reported a large campaign distributing mining malware
"Adylkuzz." This cryptocurrency miner was observed
leveraging the EternalBlue exploit to rapidly spread itself over
corporate LANs and wireless networks. This activity included the use
of the DoublePulsar backdoor to download Adylkuzz. Adylkuzz
infections create botnets of Windows computers that focus on mining
Monero.
- Security researchers with Sensors
identified a Monero miner worm, dubbed "Rarogminer,"
in April 2018 that would copy itself to removable drives each time a
user inserted a flash drive or external HDD.
- In January
2018, researchers
at F5 discovered a new Monero cryptomining botnet that targets
Linux machines. PyCryptoMiner is based on Python script and spreads
via the SSH protocol. The bot can also use Pastebin for its command
and control (C2) infrastructure. The malware spreads by trying to
guess the SSH login credentials of target Linux systems. Once that
is achieved, the bot deploys a simple base64-encoded Python script
that connects to the C2 server to download and execute more
malicious Python code.
Detection Avoidance Methods
Another trend worth noting is the use of proxies to avoid detection.
The implementation of mining proxies presents an attractive option for
cyber criminals because it allows them to avoid developer and
commission fees of 30 percent or more. Avoiding the use of common
cryptojacking services such as Coinhive, Cryptloot, and Deepminer, and
instead hosting cryptojacking scripts on actor-controlled
infrastructure, can circumvent many of the common strategies taken to
block this activity via domain or file name blacklisting.
In March 2018, Bleeping
Computer reported on the use of cryptojacking proxy servers and
determined that as the use of cryptojacking proxy services increases,
the effectiveness of ad blockers and browser extensions that rely on
blacklists decreases significantly.
Several mining proxy tools can be found on GitHub, such as the XMRig Proxy tool,
which greatly reduces the number of active pool connections, and the
CoinHive
Stratum Mining Proxy, which uses Coinhive’s JavaScript mining
library to provide an alternative to using official Coinhive scripts
and infrastructure.
In addition to using proxies, actors may also establish their own
self-hosted miner apps, either on private servers or cloud-based
servers that supports Node.js. Although private servers may provide
some benefit over using a commercial mining service, they are still
subject to easy blacklisting and require more operational effort to
maintain. According to Sucuri
researchers, cloud-based servers provide many benefits to actors
looking to host their own mining applications, including:
- Available free or at
low-cost
- No maintenance, just upload the crypto-miner
app
- Harder to block as blacklisting the host address could
potentially impact access to legitimate services
- Resilient
to permanent takedown as new hosting accounts can more easily be
created using disposable accounts
The combination of proxies and crypto-miners hosted on
actor-controlled cloud infrastructure presents a significant hurdle to
security professionals, as both make cryptojacking operations more
difficult to detect and take down.
Mining Victim Demographics
Based on data from FireEye detection technologies, the detection of
cryptocurrency miner malware has increased significantly since the
beginning of 2018 (Figure 10), with the most popular mining pools
being minergate and nanopool (Figure 11), and the most heavily
affected country being the U.S. (Figure 12). Consistent with other
reporting, the education sector remains most affected, likely due
to more relaxed security controls across university networks and
students taking advantage of free electricity to mine cryptocurrencies
(Figure 13).
Figure 10: Cryptocurrency miner detection
activity per month
Figure 11: Commonly observed pools and
associated ports
Figure 12: Top 10 affected countries
Figure 13: Top five affected industries
Figure 14: Top affected industries by country
Mitigation Techniques
Unencrypted Stratum Sessions
According to security researchers at Cato Networks, in order for a
miner to participate in pool mining, the infected machine will have to
run native or JavaScript-based code that uses the Stratum protocol
over TCP or HTTP/S. The Stratum protocol uses a publish/subscribe
architecture where clients will send subscription requests to join a
pool and servers will send messages (publish) to its subscribed
clients. These messages are simple, readable, JSON-RPC messages.
Subscription requests will include the following entities: id, method,
and params (Figure 15). A deep packet inspection (DPI) engine can be
configured to look for these parameters in order to block Stratum over
unencrypted TCP.
Figure 15: Stratum subscription request parameters
Encrypted Stratum Sessions
In the case of JavaScript-based miners running Stratum over HTTPS,
detection is more difficult for DPI engines that do not decrypt TLS
traffic. To mitigate encrypted mining traffic on a network,
organizations may blacklist the IP addresses and domains of popular
mining pools. However, the downside to this is identifying and
updating the blacklist, as locating a reliable and continually updated
list of popular mining pools can prove difficult and time consuming.
Browser-Based Sessions
Identifying and detecting websites that have embedded coin mining
code can be difficult since not all coin mining scripts are authorized
by website publishers (as in the case of a compromised website).
Further, in cases where coin mining scripts were authorized by a
website owner, they are not always clearly communicated to site visitors.
As defenses evolve to prevent unauthorized coin mining activities,
so will the techniques used by actors; however, blocking some of the
most common indicators that we have observed to date may be effective
in combatting a significant amount of the CPU-draining mining
activities that customers have reported. Generic detection strategies
for browser-based cryptocurrency mining include:
- Blocking domains known to
have hosted coin mining scripts
- Blocking websites of known
mining project websites, such as Coinhive
- Blocking scripts
altogether
- Using an ad-blocker or coin mining-specific
browser add-ons
- Detecting commonly used naming
conventions
- Alerting and blocking traffic destined for known
popular mining pools
Some of these detection strategies may also be of use in blocking
some mining functionality included in existing financial malware as
well as mining-specific malware families.
It is important to note that JavaScript used in browser-based
cryptojacking activity cannot access files on disk. However, if a host
has inadvertently navigated to a website hosting mining scripts, we
recommend purging cache and other browser data.
Outlook
In underground communities and marketplaces there has been
significant interest in cryptojacking operations, and numerous
campaigns have been observed and reported by security researchers.
These developments demonstrate the continued upward trend of threat
actors conducting cryptocurrency mining operations, which we expect to
see a continued focus on throughout 2018. Notably, malicious
cryptocurrency mining may be seen as preferable due to the perception
that it does not attract as much attention from law enforcement as
compared to other forms of fraud or theft. Further, victims may not
realize their computer is infected beyond a slowdown in system performance.
Due to its inherent privacy-focused features and CPU-mining
profitability, Monero has become one of the most attractive
cryptocurrency options for cyber criminals. We believe that it will
continue to be threat actors' primary cryptocurrency of choice, so
long as the Monero blockchain maintains privacy-focused standards and
is ASIC-resistant. If in the future the Monero protocol ever
downgrades its security and privacy-focused features, then we assess
with high confidence that threat actors will move to use another
privacy-focused coin as an alternative.
Because of the anonymity associated with the Monero cryptocurrency
and electronic wallets, as well as the availability of numerous
cryptocurrency exchanges and tumblers, attribution of malicious
cryptocurrency mining is very challenging for authorities, and
malicious actors behind such operations typically remain unidentified.
Threat actors will undoubtedly continue to demonstrate high interest
in malicious cryptomining so long as it remains profitable and
relatively low risk.