2018's security trends: malicious cryptomining

Malicious cryptomining, also sometimes called drive-by mining, is when someone else is using your computer to mine cryptocurrency like Bitcoin or Monero: essentially, they are stealing your resources to make money.

[caption id="attachment_2762" align="alignnone" width="852"] from https://www.gapingvoid.com/blog/2018/02/20/the-next-big-disruption/[/caption]

As the value of cryptocurrencies has increased significantly this new kind of threat has become mainstream, and for some analists might say has even surpassed all other cybercrime.
Indeed, cryptocurrency mining is such a lucrative business that cybercrime started to focus on stealing CPU power in order to mining cryptovalues.

For example, Smominru botnet uses EternalBlue and DoublePulsar to infect hundreds of thousands of Windows servers with a cryptocurrency miner, ultimately generating millions of dollars in revenue.

Another vulnerability that target Oracle’s WebLogic Server (CVE-2017-10271), were used to deliver miners onto servers at universities and research institutions (servers appears to be a favorite among cybercriminals because they offer the the highest hash rate).

Malvertising is also a major factor in spreading coin miners: recently YouTube was involved in spreading, serving malicious ads via DoubleClick.

Even malware authors ARE focused on cryptocurrency

Existing malware families like Trickbot added in a coin miner module, and the authors had expanded their banking trojan to steal credentials from Coinbase users as they logged into their electronic wallet.

Also mobile users are not immune to cryptomining: trojanized apps with injected mining code are common, especially for the Android platform.

Mining pools such as Minergate are often used by those Android malicious miners, and the same is true for OSX cryptominers.

 

How to discover if my computer is mining cryptocurrency?

First, check CPU usage!

Open a resource monitor on your computer to check if CPU usage is abnormally high.


If you see a spike in CPU usage when visiting a particular website that shouldn’t really be that taxing on your processor.
Or if you have everything closed but CPU usage is still super high, then you may have a crypto mining malware problem.

If you are aware of what is going on (for example when you visit a website that let the visitors the choice to view ads or start a mining process) then it’s not that big a deal.

However, when you are not aware of the mining activity it is a theft of resources. This is because cryptomining takes advantage of your computer’s CPU and GPU, slowing down every other process and potentially shorten the lifespan of your system.

Finding the origin of the high CPU usage can be difficult

Processes might be hiding themselves or masking as something legitimate in order to hinder the user from stopping the abuse.
Further, when your computer is running at maximum capacity it will run slow and the troubleshoot will be more harder.
Finally, a malicious cryptominer could also make you more vulnerable to other malware by introducing additional vulnerabilities to your system, like in the case of the Claymore Miner, used by a variant of Satori botnet to exploit a vulnerability and break into the systems.

How to prevent unwanted crypto-mining?

First, be sure that your antivirus/antimalware is updated!

However, not all security solution are able to block cryptomining threats.
The Premium version of Malwarebytes automatically blocks cryptocurrency miners on web pages, on the other hand Windows Defender CoinHive or other cryptocurrency miners on web pages.
So, check with your antivirus provider to see if they do.

Furthermore, Ad-blocking software can filter out known types of in-browser miners, like Coin Hive, which isn’t necessarily malware: for example, AdGuard is able to scan a site to see if Coin Hive is running on it and alert you to it, and AdBlock Plus suggests adding a filter to its built-in blocking options that targets Coin Hive.

If you need more specialized blocking capabilities there are extensions like NoCoin and MinerBlock that block mining activities, for Chrome, Firefox, and Opera (Opera’s latest versions even have NoCoin built in).

My personal suggestion to block web browser mining is a simple change on hosts file, like my previous post.

For example, if you need to block coin-hive.com miners you should:

(on Linux), open the hosts file by running:

sudo nano/etc/hosts

and add

0.0.0.0 coin-hive.com

at the end of the document.

(for Windows) navigate to C:\Windows\System32\drivers\etc, edit the hosts file and add

0.0.0.0 coin-hive.com

at the end.

 


References