Cryptomining, Malware, and What to Expect in 2018

Cryptomining and cryptojacking situation in 2018 and what to expect|StopAd blog

Cryptomining is a process that requires computational power for confirming the validity of new transactions in a decentralized network, which results in new blocks added to blockchain—a public ledger of cryptocurrency transactions.

As discussed in our Online Security Trends for 2018, cryptocurrency mining is growing significantly and will continue.

Miners put the computing power of their hardware into solving complex cryptographic problems to ensure the validity of each transaction comprising every new block in the chain—a process known as Proof of Work (PoW). The more computing power a miner can harness, the higher the chances of being the first to solve the block. Winning miners receive a certain amount of cryptocurrency. Meanwhile, the new block is added to the blockchain. In addition to PoW, there are other block validation methods, including Proof of Stake. A number of existing digital currencies like Bitcoin, Ethereum, and Monero are recognized as valid payment methods and are based on PoW.

What is the Current State of Cryptomining?

While some countries are undecided on the legitimacy of cryptocurrencies and how to regulate mining, on the web (and the dark web, especially), these currencies have replaced traditional ones.

Their popularity is unprecedented, even despite volatility in value. It’s easy to see why cryptocurrencies are gaining popularity. They often provide greater anonymity for buyers and sellers. For instance, Monero creators take pride in implementing mechanisms that make transactions untraceable. Furthermore, numerous exchanges make getting USD or another currency for your digital funds relatively easy. In general, cryptocurrencies, like Bitcoin, have demonstrated tremendous growth in 2017, and this growth has only been fuel to the fire of mining interest.  

Cryptomining and the Motivation to “Cryptojack”

Mining cryptocurrencies based on PoW heavily relies on computer resources and electricity. Some currencies, like Bitcoin, demand significant energy resources and expensive mining equipment due to the strong competition in computing power between several large-scale miners. These power-players’ enormous transaction-solving rate effectively blocks smaller players from entering the Bitcoin mining game due to the difficulty of solo mining—the reward for mining tends to decrease with time. On the other hand, cryptocurrencies like Monero and Bytecoin, with their more limited power needs, can be mined by a group of computers whose CPU load is used for mining in addition to other non-mining tasks.

Enter cryptojacking.

The first steps of the cryptojacking craze were recorded in late September 2017, when the Coinhive tool went live. As a potential revenue-replacement for ads, Coinhive allows site owners to implant a piece of JS code to piggyback on  website visitors during their time on site and use their CPU resources to mine Monero.

At least, this was initial idea, which isn’t too bad at all.

However, within days after release, a number of sites were caught red-handed, using Coinhive without informing the users. Unfortunately, the situation hasn’t improved since.

Naturally, cyber criminals couldn’t have just ignored such a source of income, and since then we have seen numerous developments in what is called “cryptojacking.” Researchers from Sophos demonstrated the correlation between the growth of Bitcoin cryptocurrency value and amount of Coinhive web miner infections in December 2017.

Bitcoin-Coinhive infections |StopAd blog
Growing price of Bitcoin correlation with increase pf CoinHive cryptomining code infections. Source: Sophos Lab

The correlation of Coinhive web miner infections to the rise of Monero cryptocurrency value (XMR)

Growth of Monero correlates with Coinhive infections|StopAd blog
Growing price of Monero correlates with increase of Coinhive infections increase. Source: Sophos Lab

As cryptocurrency interest grows, so does cryptojacking.

Why is JS Browser Mining and Cryptojacking So Popular?

  • Javascript miners are compatible with all modern browsers and platforms, which means that the code can also be executed on mobile devices, through apps.
  • Web miner integration is simple—no extra skills are required.
  • No user interaction is required for mining to occur; accessing a website with Coinhive or a similar web miner is enough. Alternatively, an outright malicious code can be executed to run covertly in the system’s or infrastructure’s background.
  • Customization allows website owners and cryptojackers to decide which percentage of CPU resources the mining script should take up per user, even a 100% load is possible.
  • These methods deliver high ROI, since the cryptojacking resources are the burden of the website visitor’s system.

Is Cryptojacking Dangerous?

Recent research shows that there are at least 40,000 detectable websites with Coinhive-based cryptojacking in place. Coinhive clones have been found on another 9,028 websites and their number is growing.

In a simple scenario, when the user is on a website using a web miner, his CPU load increases since it starts calculating the transactions. Immediate side effects of crytpojacking include: a performance drop, overheating, and a possible CPU outage. If the website owner customizes the miner to use 100% of the CPU, it may render the machine useless for the web visitor’s own tasks. However,  closing the website would usually be enough to put an end to system abuse.

Unfortunately, more sophisticated malware authors have developed persistence techniques that support mining after the browser is closed on infected machine running Chrome. Site owners achieved persistence by initiating a hidden browser window adjusted to the screen resolution of the user.   

Mobile devices affected by cryptomining malware known as Loapi, have been reported to be physically broken due to overheating caused by excess CPU load during the mining process.

Just like with ransomware, with cryptojacking, your system is held hostage for someone else’s profit.

In fact, cryptojacking is more lucrative than ransomware since mining is more sustainable and basically unseen, whereas getting ransom isn’t a guarantee for the attacker. For organizations, cryptojacking is going to be as much of a problem as ransomware was for in 2017. Checkpoint reports that cryptomining-related threats affected 55% of businesses across the globe.  

Cryptojacking and Networks

In situations with critical infrastructure or with organizations, persistent cryptojacking malware may seriously affect operations during a prolonged period, such as in this European Water Control Utility case discovered by Radiflow. Malware authors may use a host of tools to evade detection and make sure the cryptojacking malware propagates across the network, which—in turn—poses a real risk of infrastructure failure.  

The range of possible consequences that come from rogue mining spans from annoyance to potentially catastrophic. Think of the intentional misuse of nuclear plant infrastructure for mining.

How Does Cryptojacking Spread so Massively?

Cryptominers are focused on obtaining maximum computational power, and they succeed by repurposing some of the malware tools and infection tactics that the online industry has already seen in action—and largely perfected.

Malvertising has been a threat plaguing the ad tech industry for many years. Now malvertising techniques are in high demand by cryptominers since they allow deployment of mining code within a victim’s browser delivered under the guise of a simple ad. Some of examples include Avast AV blocking Youtube banners containing Coinhive code that was later confirmed by other AV companies. In this scenario, attackers used Google’s Doubleclick platform, and its wide reach to spread weaponized ads.

Some ad networks knowingly deploy in-browser miners along with the ads on their publishers’ sites. This particular case is interesting because researchers discovered an ad blocker evasion technique which mimics an approach used by malware. Zhang Zhaifeng from Qihoo Netlabs describes how ad networks can use domain generation algorithm (DGA) to circumvent ad blockers. DGA is a method of automatically generating multiple domains that some malware can use to connect with its command and control infrastructure during an attack, avoiding law enforcement and security researchers.

In the explanation, an unnamed ad network used multiple DGA domains that aren’t known by ad blockers to host and deliver ads with a variant of cryptomining script belonging to Coinhive family.

For users without ad blockers, the said ad network was using their default ad hosting domains for the same purpose. The activity is estimated to have been active since December 2017.

One more case that highlights how fast malware authors adapt their tools and emphasizes the importance of patching. The devastating WannaCry ransomware attack from last year is memorable because it propagated quickly across networks due to use of the leaked NSA exploit EternalBlue. Ironically, by the time of attack, Microsoft patches for the exploited SMB vulnerability had  already been available for several weeks.

Recent findings by Proofpoint suggest that the same exploit has been used to infect computers that would mine Monero as a part of botnet. The total count of computers since its inception in May 2017 is estimated to be over 526,000 devices, mostly comprised of unpatched servers.

Botnet operators continuously scan the web to identify potentially vulnerable systems and use other hacking tools leaked from NSA in their operations. It is estimated that altogether botnet has earned up to $3.6 million. Security researchers point out that cryptomining infections are harder to detect due to it’s fileless nature. Therefore, keeping systems patched is crucial.

Cryptojacking Protection

Surreptitious mining is on the rise, and we will definitely see more of it in 2018. Some of the symptoms that hint that your device is leaking CPU resources include:

  • A performance drop
  • Your computer’s fan going off, due to the CPU overheating
  • A noticeable increase of resource usage by the browser process in your Process Monitor (Windows) or Activity Monitor (Mac)

To prevent crooks and unethical website owners from abusing your CPU resources without your consent, there are few things that you can do:

  • Use an ad blocker. It may detect and block the majority of cryptojacking tools, including those delivered via weaponized ads.
  • Use an anti-mining extension like No Coin or NoMiner.
  • Use an AV both on desktop and mobile device.
  • Keep your system and browsers updated.