Crypto-Mining Malware: The Canary in the Coal Mine

By: Callie Guenther, Cyber Threat Intelligence Manager

Every month, cyber threat intelligence teams around the world publish their “Top Malware Reports” tracking the latest trends and patterns in the global cyber threat landscape, and every month, the occurrence of cryptomining malware climbs. The top threats include ransomware, commodity banking malware such as Emotet and Trickbot, and illicit cryptocurrency miners. One of the most prevalent forms of cryptominer malware in the world, COINMINER, has impacted one in five organizations across the world.

Most illicit cryptomining takes advantage of gaps in organizational cyber hygiene, attackers utilize these unmonitored or under-monitored spaces to gain a foothold and spread across a network. Once initial access is established, cryptominers serve as the vehicle for more nefarious and sophisticated threats, thus the presence of cryptomining malware is a symptom of a larger systemic security problem in addition to the security risks of the malware itself. The threat of cryptocurrency mining in an enterprise setting represents an increasingly common cybersecurity risk. As the value of various cryptocurrencies continues to climb and their use becomes more prevalent, organizations are required to understand more holistically the potential impacts of mining malware on their operations, and how to navigate the associated security implications of cryptocoins.

Since the advent and growth of Bitcoin in early 2009, many cryptocoin derivatives and cryptocurrencies have been developed. Palo Alto Networks reported in July 2020, that the clear majority of illicit cryptocurrency malware mines operated on the Monero coin (85 percent), followed by Bitcoin (8 percent) and all other cryptocurrencies make up the remaining 7 percent.

Although a single Monero coin is significantly less valuable than Bitcoin, several factors make Monero the cryptocurrency of choice for malicious actors. Monero provides advantages in privacy and anonymity, which help malicious actors hide both their mining activities and their transactions using the currency post-exploit. Most crypto wallets allow for the anonymous management of all stored assets, private key control, and transaction management from any cryptocurrency address. Moreover, some crypto wallets allow you to access decentralized applications (dApps) for further decentralization of services. Transaction addresses and values are obfuscated by default, making tracking Monero incredibly difficult. Additionally, the resources required to mine Monero are significantly lower than other currencies, making it possible to mine the cryptocurrency on most personal computers and increasing the potential number of targets for malicious actors. Monero’s mining algorithm is designed to encourage more users to contribute to its network, meaning that more profit can be squeezed out of processing power stolen via botnets with Monero mining over Bitcoin mining.

Following a monumental drop in cryptocurrency values in 2018, the market has rebounded in dramatic fashion with consistent price increases since early 2019. Despite the volatility and wide fluctuation of individual coin prices across the market, threat actors have largely remained undeterred from targeting both individual organizations and cryptocurrency exchanges, suggesting that the currency’s monetary value has little to do with their decision to carry out cyber-attacks. As the value of cryptocurrencies continue to rise, we expect to see continued increase in the frequency and sophistication of illicit cryptomining attacks.

Illicit cryptocurrency mining poses an immediate and long-term threat to both enterprises and end-users. Analysts have frequently observed that the malware used by cryptocurrency miners often uses the same methods that lead to future network or data attacks. Talos Intelligence Group observed the use of EternalBlue and DoublePulsar exploits by the Adylkuzz malware as part of illicit cryptocurrency mining campaigns and the widespread Monero-mining campaign called “Somominru,” revealed by Proofpoint was estimated to have made roughly $2.3 million dollars.

After a malicious actor establishes their initial foothold onto a network, the attacker can leverage illicit cryptocurrency mining software as a vector for conducting additional malicious operations. For example, malicious actors could create backdoors for future access or employ the malware as a route for downloading additional malicious payloads beyond the miner. Attacks may include data theft, data alteration, ransomware, and other disruptive actions. If an actor conducting mining operations on a network decides they are not generating adequate income from mining, they may turn to one of these more direct actions. If the criminal maintains persistent access to the network, that access alone is a sellable resource they may lease to other potential attackers.

While malicious cryptomining appears to be far less dangerous to the user than ransomware, its effects should not be underestimated. Unmanaged miners could seriously disrupt business or infrastructure critical processes by overloading systems to the point where they become unresponsive and shut down. With those affected resources lacking appropriate security tools, cryptominers slow down business processes and drive up organizational costs. Cybercriminals see an opportunity to make money by running malware campaigns that distribute, install, and run trojanized miners at the expense of other people’s computing resources. Like most other malicious attacks on the computing public, the motive is profit, but unlike many threats, cryptomining is designed to remain largely hidden and the potential long-term ramification are much harder to mitigate.