To maximize their profits hackers are leveraging the computer power of as many devices as they possibly can.
However, they must find ways to deliver the malicious crypto-miners on a large enough scale for it to be profitable.
While the infamous Wannacry ransomware was publicized for taking advantage of the leaked DoublePulsar and EternalBlue exploits two separate groups used those very same vulnerabilities to infect thousands of Windows servers with a cryptocurrency miner generating millions of dollars in profit.
Figure 1: Worm scanning random IP addresses on port 445
Other vulnerabilities like a flaw with Oracle’s WebLogic Server (CVE-2017-10271) were also used to deliver crypto-miners onto servers at universities.
While Oracle released a patch in October of last year many folks did not apply it quickly and a PoC only facilitated the abuse.
As it happens, servers happen to be a fav with cyber criminals since they offer the most bang, or rather the highest hash rate to solve the mathematical operations required by cryptomining.
Fairly recently we have seen folks who for better or worse took this to the next level – by using supercomputers in a multitude of critical infrastructure environments.
Exploit kits & Spam Campaigns
Even malware authors have the cryptocurrency fever.
Existing malware families such as Trickbot – which is distributed via malicious spam attachments – temporarily added in a coin miner module.
Trickbot creators had already expanded their banking Trojan virus to steal credentials from Coinbase users as they logged into their online wallets.
The modular nature of said malware is making it easier for them to experiment with new ideas to make money.
Figure 2: Document containing a macro that downloads TrickBot malware
Exploit kits and RIG EK in particular have been distributing miners typically via the intermediary of the SmokeLoader malware.
As a matter of fact, cryptominers are one of the most commonly served payloads now in these drive-by download attacks.
Figure 3: An iframe redirection to RIG EK followed by a crypto-coin miner infection
Mac & Mobile Crypto-miners
Mobile users aren’t immune to crypto-mining either, as Trojanized applications that are laced with mining code are also becoming commonplace, particularly for the Android platform.
Similar to Windows malware, these malicious APKs tend to have modules for very specific functionalities, such as SMS text spam and crypto-miners.
Figure 4: The source code for the crypto-mining feature within an Android APK
Legitimate mining pools such as Minergate are usually used by said Android miners and the same goes for Mac cryptominers.
The typical advice on sticking to official websites to download apps applies but is not always enough particularly when trusted apps get hacked.
~/Library/Apple/Dock -user email@example.com@gmail.com -xmr
Figure 5: A malicious Mac app launching a Monero miner
New Frontier: Drive-by Cryptomining
In September of last year, an unknown entity called Coinhive launched a new service that was about to wreak havoc on the web as it introduced an API to mine the Monero cryptocurrency directly within the browser.
While in-browser crypto-miners have surged in part because of Coinhive’s popularity they had already been tried and tested a few years ago, mostly as proof-of-concepts(PoC) that didn’t develop a lot further than that.
However, the legal precedent of a group of students at MIT who were sued by the state of New Jersey for their coin mining foray—named Tidbit—which was proposed as an alternative to traditional “display” advertising.
Not Opt-in By Default
Within only a few weeks the Coinhive API was abused in “drive-by” cryptomining attacks.
Like drive-by downloads, drive-by mining is a silent and automated procedure. The platform agnostic technique essentially forces visitors to a website to mine for cryptocurrency.
Coinhive later introduced a new API (AuthedMine) that specifically requires user input for any mining activity to be allowed.
The idea was that website owners would use this more “moral” API instead so that their visitors can knowingly opt-in before engaging in cryptomining.
This was also an argument that Coinhive put forth to defend its stance against ad blockers as well as antivirus software.
While only Coinhive would have accurate stats, according to our own forensics the opt-in version of their API was hardly used (50K/day) in contrast to the silent code (4M/day), as is pictured in the below during the period of January 11 to February 7.
Figure 6: Usage stats for the opt-in version of Coinhive.
Figure 7: Usage stats for the silent version of Coinhive.
Further, websites that do use the opt-in option may still be slowing machines by running an unthrottled miner.
Several copycats emerged in the wake of Coinhive’s standout success.
According to third party statistics, coin-have[.]com is the 2nd most popular service, which is then followed by crypto-loot[.]com.
While Coinhive itself takes a thirty percent commission on all mining proceeds, Coin Have advertises the lowest commission rates in the market at twenty percent. CryptoLoot itself claims to pay out nearly ninety percent of mined commissions.
In additions to larger payouts other luring features offered by newcomers are low payment thresholds as well as the ability to bypass ad blockers, which is often viewed as their number one enemy.
Figure 8: Two of the most popular Coinhive copycats released.
Browsers Get Abused
Drive-by cryptomining doesn’t require infecting a machine, actually. This is both a strength as well as a weakness in that it can reach a much wider audience but is also more transient in nature.
For instance, if a computer user navigates away from the website they are on or lets say closes the offending tab, that will cause said mining activity to stop – which is a major drawback.
However, we at CryptoBuzz News Network noticed that some crypto-miners have developed sneaky ways of making drive-by mining persistent, thanks in part to pop-unders, a practice that is well-known in the advertisement fraud business.
The malicious pop-under tab containing the crypto-mining code would get placed directly underneath the taskbar, making it virtually invisible to the end user.
Thanks to this clever trick, the cryptocurrency mining can last until the user actually restarts their computer.
Another way to mine for extended periods of time is by using a booby-trapped web browser extension that will inject malicious code into each web session.
| payload = - [ ExportSection | count = 27 | entries = - [ ExportEntry | field_len = 9 | field_str = "stackSave" | kind = 0x0 | index = 71 - [ ExportEntry | field_len = 17 | field_str = "_cryptonight_hash" | kind = 0x0 | index = 70
Figure 9: A code snippet from a WebAssembly module which was designed for mining Monero.
While drive-by mining usually happens via the typical HTTP protocol—either via HTTP or HTTPS connection—we have observed more examples of cryptocurrency miners communicating via WebSockets instead.
Figure 10: A Web Socket connection to Coinhive miner.
A WebSocket is yet another communication protocol which allows streams of data to be exchanged.
There is an initial handshake request and response with a remote server which is then followed by the actual data streams.
CryptoCoin mining code wrapped within a secure (wss) WebSocket is much more difficult to identify and thus block out.
As the mining landscape continues to evolve the connections to real-world trends become more obvious to us.
Malware programmers aren’t only enjoying the anonymity provided by virtual currencies but also want to amass them.
Cryptomining malware provides a great use case for leveraging the sheer power of a botnet in order to perform CPU-intensive cryptocurrency mining tasks without having to endure the costs in the process.
In some respects, drive-by cryptocurrency mining also applies the same concepts, rather that the botnet of web users it creates is largely temporary.
While crypto-mining appears to be a lot less dangerous to the user than ransomware is, its effects should not be underestimated.
Unmanaged miners could significantly disrupt business critical processes by overloading systems to the point where they become unresponsive and then shut down.
Under the careful disguise of a financially-motivated attack this may be the perfect alibi for advanced threat actors.