The rising trend of cryptocurrency mining malware: What you should know

7 Mar 2018

3D rendering of Monero cryptocurrency. Image: Wit Olszewski/Shutterstock

What can you do to avoid becoming a victim of cryptocurrency mining malware?

Cryptocurrency mining is becoming more commonplace. As the general public becomes more aware of the possibilities therein, so too do bad actors willing to access the computing resources of unwitting individuals to get a slice of the pie.

Secureworks provides a myriad of cybersecurity services to thousands of companies around the world, including Fortune 500 clients. Today (7 March), it released an extensive report examining the burgeoning threat of cryptocurrency mining malware. The company has seen significant increases in clients reporting incidents involving this type of malware.

More than just a nuisance

In comparison to complete loss of availability caused by ransomware and loss of confidentiality caused by banking trojans or other information stealers, the impact of unauthorised cryptocurrency mining could be seen as merely a nuisance, but that is not really the case.

Secureworks notes the “cumulative effect of large-scale unauthorised cryptocurrency mining in an enterprise environment can be significant as it consumes computational resources and forces business-critical assets to slow down or stop functioning effectively”.

The deployment of such malware also reflects a breakdown of effective technical controls. Put simply, if attacks like this can become established and spread laterally within the environment, it’s likely more serious threats could do the same.

Cryptocurrencies growing in popularity

As of December 2017, there were approximately 1,370 cryptocurrencies available online coinciding with the boost in popularity and volatility of popular offerings like Bitcoin and Monero.

Mining cryptocurrencies is more profitable when computing power is aggregated, with the rewards then split among contributors. Pools are not required to disclose details of the amount of miners within, making the number of active miners and mining apps difficult to calculate.

Cryptocurrency historically attractive to criminals

Cryptocurrency is attractive to financially motivated threat actors as the decentralised nature of many of the offerings makes things difficult in terms of legal investigations. The promotion of anonymity as a USP of many cryptocurrencies is another key factor.

If a cyber-criminal controls an affected system, mining can be done cost-free as the hardware and energy costs are outsourced. Combining cryptocurrency mining malware with information stealers can also provide additional revenue streams.

Bitcoin mining as a criminal activity was first reported in 2011 and those employing these techniques have grown more sophisticated in their execution. The Apache Struts vulnerability used to compromise Equifax in 2017 was the key to the Zealot multi-platform campaign that mined Monero cryptocurrency and the same exploit used in the WannaCry attack was used to deliver the Adylkuzz mining malware in that same year.

The combination of SMBv1 exploits and the Mimikatz credential-theft tool used by the NotPetya malware in June 2017 has been used to distribute Monero mining software.

There are also a number of miners across multiple platforms, with threat actors deploying it where they can get the highest return – from Linux to Windows and even mobile operating systems.

Monero is the currency of choice

Browser-based mining software such as Coinhive allows website owners to legitimately monetise web traffic, but the software can just as easily be used by bad actors to exploit vulnerable websites.

Monero seems to be the most popular option to mine, as most threat actors believe it provides the best return on investment and is more suitable for machines with less computational power, making it easier to exploit a large number of corporate computing assets.

Underground forums offer obfuscation, malware builders and botnet access to hide illegitimate mining.

What is the impact?

The impact to an individual host is the consumption of processing power, Secureworks clients have noted surges in computing resources and effects on business-critical servers. This impact is amplified in large-scale infections.

It is especially nefarious as people may not notice cryptocurrency mining as quickly because it does not require capitulation, its impact is less immediate or visible, and miners do not render data and systems unavailable. These factors may make mining more profitable than deploying ransomware.

A high return on investment

Mike McLellan, author of the report and senior security researcher at Secureworks, told “The use of cryptocurrency mining malware will continue to rise as long as it offers a high return on investment for threat actors.

“If an initial malware infection can deliver and spread cryptocurrency miners within an environment without being detected, then that same access vector could be manipulated to deliver a wide range of other threats, such as banking trojans or ransomware.”

McLellan added that Secureworks is seeing some threat actors remove vulnerabilities that are used to gain initial access to hosts, meaning that no one else can gain access in the same way.

What can you do?

McLellan offered the following tips: “When it comes to mitigating the threat of cryptocurrency mining malware, organisations need to ensure that appropriate preventative, detective and responsive controls and procedures are in place.

“This includes implementing two-factor authentication and web application firewalls or web content filtering, plus managing user account privileges, and disabling access to unused ports and services.

“Having the right endpoint security technology and implementing and/or updating antivirus software is also critical in order to detect cryptocurrency mining malware.”

Finally, organisations need to practice incident response, and ensure that the right back up regimes are in place in the instance that organisations are infected with cryptocurrency mining malware.

By employing these steps, people and businesses can also protect themselves against other dangers, McLellan concluded. “These mitigations for installation, persistence, and lateral movement techniques associated with cryptocurrency malware are also effective against commodity and targeted threats.”

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects