Exploiting the ecosystem around cryptocurrencies has become big business for cybercriminals. During the past few years, cybersecurity firms and observers have noted a spike in everything from phishing scams targeting e-wallet credentials to targeting the initial coin offerings (ICO) that serve as crowdfunding for many companies.  

Cryptojacking 

Adding to this list of challenges is cryptojacking. Cryptojacking operations profit by infecting unsuspecting computers with cryptomining malware. Rather than stealing data, these attacks are focused on compromising computers and using them to mine cryptocurrencies, such as Bitcoin and Monero. 

As a refresher, cryptocurrencies are decentralized currencies that provide a distributed ledger which serves as a public financial transaction database. These currencies typically use a blockchain and are secured by cryptography. All transactions involving a cryptocurrency are stored in the ledger. To create new units of the cryptocurrency and add transactions to the blockchain, cryptominers go to work.  

Cryptomining is a computer-intensive and profitable process. As a reward for their work, miners are given coins as payment. The only reward for an organization whose computers were hijacked however is the strain cryptomining can put on the company’s IT resources. 

Prevalence & Analysis 

The threat is very real. In the first quarter of 2018, several security vendors reported a spike in cryptomining malware, and news of high-profile victims, such as Tesla, brought the issue further into the spotlight. In our recent report, Blockchain (R)evolution, we discuss the evolution of blockchain technologies, the growth of cryptocurrencies, and the surge of activity such as cryptojacking by attackers.  

As part of the report, researchers with our Threat Resistance Unit (TRU) shed light on incidents impacting our customers during a 45-day period earlier this year. Between April 25 and June 8, Armor recorded 70 signature-based anti-malware events related to cryptomining across four customers. Approximately 50% of these events were determined to be Drupalgeddon2 and 3 related, and 50% were related to ApacheStruts2. The event-to-target ratio of these events indicates the attacks were likely automated. 

In addition, Armor analysts discovered domains and IP addresses associated with Monero, Electroneum, and Ubq mining pools coded into the malware samples related to these incidents. The geolocation of repositories hosting cryptomining malware, mining pools, and other associated malware downloads were globally distributed. While there is insufficient evidence to attribute the activity to any specific threat actor or botnet, it was observed that most of the IP-based indicators are associated with regional internet registries in Eastern Europe, namely Romania.  

In each case, the events that have included cryptomining malware have been determined to be the result of unpatched web application vulnerabilities. The verticals of the known, targeted customers include the healthcare, materials (metals and mining), financial, and information technology industries as well as nonprofits. Outside the vulnerable applications, no trends or anomalies were observed that would indicate that a particular vertical was being targeted. The attacks, however, highlighted the importance of patching vulnerable applications as soon as possible. In addition, organizations may want to consider working with security vendors to block the IP addresses of mining pools and would be wise to be wary of unexpected spikes in CPU. 

Variations 

As these attacks have surged over the past couple years, cryptojacking has taken multiple forms. One of these is browser-based mining. In this scenario, the mining happens inside the browser applications as opposed to through a downloaded file. When used legitimately, browser-based mining provides a way for websites to make money without using ads, while attackers use it to secretly harness the computers of people who visit a compromised site.  

In February, an attacker added malicious code to a JavaScript file that is part of the Texthelp Browsealoud product, which adds text-to-speech functionality to websites. The attacker inserted the Coinhive Monero miner into the code, and as a result, any site with a link to the Browsealoud was impacted. Without warning, visitors to the compromised sites had 60 percent of their CPU resources sucked into the illicit mining effort. The incident affected thousands of sites and forced Texthelp to temporarily take the Browsealoud service offline. 

During the past several years, there have also been numerous examples of attackers targeting mobile devices with cryptomining malware as well. Trojan applications containing code to mine cryptocurrencies have been detected in mobile marketplaces. In another case, detailed here by Malwarebytes in February, cybercriminals used drive-by attacks to infect millions of mobile users by redirecting them to a page designed to perform in-browser cryptomining. 

While mining for cryptocurrencies is not in and of itself unethical, doing so without a user’s consent is. Though these attacks may not be as devastating as a breach of customer data, they can equally cause mayhem as they tie up IT resources and impact business operations.