Cryptocurrency miners: the latest tool for cyber criminals

Learn more about the new form of cyber crime that is being driven by cryptocurrency fever

Due to the growing popularity and market value (at the time of writing!) of cryptocurrencies, it is no surprise that there has been a surge in the number of malicious attacks using cryptominers.

In its latest report into Cybercrime tactics and techniques: 2017 state of malware', Malwarebytes claims to have blocked an average of 8 million drive-by mining attempts from websites and visitors all over the world.

Drive-by mining is a revival of an old concept of browser-based mining using JavaScript. A new venture called Coinhive revived this method late last year, providing a simple API for webmasters to add to their website, which would turn any visitor into a miner for the Monero digital currency.

Predictably, this technology was immediately abused by webmasters that ran it silently, therefore exploiting the visitor's CPU for their own gain. Eventually, criminals also took note and started compromising websites with cryptomining code. This means that the system resources of unsuspecting victims can be harnessed without authorisation in order to mine cryptocurrency.

The most popular currency for drive-by mining in 2017 is Monero, most likely due to the higher speed with which transactions are processed, even of small amounts. Criminals also benefit from the anonymity automatically incorporated into the Monero blockchain, and the fact that the mining algorithm doesn't favour specialised chips.

Popular attack methods

PUP wrappers: Several bundlers and PUP wrappers have been found to install miners, and they appear to be replacing adware as a payment method. IStartSurf, a PUP well known for its browser hijackers, has started to include miners in its silent installs.

Exploit kits and malvertising: The payload of the RIG exploit kit now includes cryptominers. Even the EternalBlue exploit (of WannaCry fame) was used to spread a miner that used Windows Management Instrumentation for a fileless, persistent infection.

Malicious spam: Cryptocurrencies are easy pickings for spammers. They often use Bitcoin value fluctuations as a means for phishing, while sending out cryptominers or installers for these miners as malspam.

Social engineering: This is an increasingly popular method of attack used for drive-by mining. Some campaigns are run by convincing people they need to install a new font, when in fact they are being served a cryptominer. Some miners are also being offered as cracked versions of popular software.

Bitcoin wallet theft: Banking Trojans have expanded their working field into stealing cryptocurrencies right out of people's virtual wallets. Coinbase is a cryptowallet that trades in several cryptocurrencies, including Bitcoin. A Trickbot variant was spotted that includes the Coinbase exchange to steal credentials from the sites it monitors.

Other Trojans have been spotted that steal cryptocurrencies on the fly, including one that monitors a user's clipboard. As soon as it spots the address of a cryptocurrency wallet on the clipboard, it replaces the address with that of the threat actor.

Attacks like this can be virtually impossible to detect, and few people would expect something they had just copied to change before being pasted into an address bar.

It is likely that as cryptocurrency fever continues, drive-by mining will evolve as new mining platforms are utilised - such as Android and IoT devices - and new forms of malware are developed to mine and steal cryptocurrency.

Picture: Shutterstock

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

What is a Trojan?
Security

What is a Trojan?

4 Jan 2021
Hackers publish over 4,000 files stolen from SEPA in ransomware attack
Security

Hackers publish over 4,000 files stolen from SEPA in ransomware attack

22 Jan 2021
Weekly threat roundup: SAP, Windows 10, Chrome
vulnerability

Weekly threat roundup: SAP, Windows 10, Chrome

21 Jan 2021
Biden nominees highlight tough cyber security challenges
cyber security

Biden nominees highlight tough cyber security challenges

20 Jan 2021

Most Popular

SolarWinds hackers hit Malwarebytes through Microsoft exploit
hacking

SolarWinds hackers hit Malwarebytes through Microsoft exploit

20 Jan 2021
How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

12 Jan 2021