Cryptocurrency Mining Malware
Cryptocurrencies have no borders, anyone can send them anytime anywhere, without delays and are not liable to anyone, including government and central banks. Though lucrative, cryptocurrencies bring along with it cyber security threats as a package. The popularity and booming price of cryptocurrencies has invited many nefarious actors vying to get illicit gains through crypto mining. As per Kaspersky Lab, ‘around 1.6 million of their clients had their computers infected by cryptocurrency mining malware this year, and the incidents seem to be growing in future.’ These malware perpetrators are using different kinds of malwares to skirt around the opportunity of crypto mining. Browser based cryptocurrency mining is one of them.
Browser based cryptocurrency
Browser based cryptocurrency mining is not new, it’s been in existence since 2011. However, it’s only recently that there is sharp surge in the use of crypto mining malware. Back in 2011, Bitcoin was in its infancy, mining was not that difficult and could be done with home-grade hardware. Therefore, browser based cryptocurrency was not lucrative.
However, during these dormant years there was emergence of hacking tools related to bitcoin mining. The idea of browser based crypto mining was once again revived in December 2013 by a group of MIT students in a project called “Tidbit” and was positioned as an alternate way for website to raise revenue.
Recent Modus Operandi
Facebook messenger has fallen victim to an exploit which allows attackers to secretly mine cryptocurrency by harnessing the computing power of those infected. The malware ‘Digmine’ is a mining bot distributed via messenger for mining Monero (another popular cryptocurrency).
The Digmine malware is disguised to look like a video file being shared over messenger. Once opened the ‘video’ installs malicious code which will compromise the desktop version of Facebook Messenger when used with Google Chrome. However, the only way the malware can spread is by the desktop version of Messenger when used on Google Chrome. Opening the video file on Messenger running on any other platform won’t result in an infection.
The malware can give hackers control of your account which can result in slowing of your computer and the ability for the hackers to target people on your friends list. Hackers use the processing power of the CPU for mining Monero. The profits from this illicit computer-jacking are sent to the attacker’s encrypted Monero wallet.
Source: 1 @helpprotectme
This cryptocurrency mining bot ‘Digmine’ first surfaced in South Korea then spread to Vietnam, Azerbaijan, Ukraine, the Philippines, Thailand, and Venezuela. It is now spreading fast across the world. Trendmicro, a Tokyo headquartered cybersecurity firm disclosed about Digmine to facebook, which promptly removed Digmine-related links from its platform.
Even mobile devices have not been spared from cryptocurrency mining. Modern mobile phones have processors that can be as powerful as low- to mid-range desktop computers which help to make mobile mining more viable.
As per a survey, there is a 34% increase in the number of mobile apps incorporating cryptocurrency mining code. But it should be noted that cryptocurrency mining is energy intensive and therefore can quickly drain the mobile battery.
Mobile mining can be detected by the heat generated, fast draining battery and low performance.
Internet of Things (IoT)
Given their ubiquity among home and corporate environments, IoT devices are prone to cryptocurrency mining malwares. In April 2017, a variant of ‘Mirai’ with bitcoin mining capabilities surfaced.
Last year, Mirai sprung havoc through IoT devices particularly home routers, using them to knock high-profile sites offline last year.
According to researchers from Netskope, hackers are using Amazon very smartly by using Zminer. Zminer is an executable coin mining malware and is currently being dropped from an exploit kit.
Zminer connects to Amazon S3 storage bucket to grab two payloads called Claymore Cryptonote CPU Miner and Manaber.exe.
Claymore is the mining utility whereas Manager oversees the mining and includes instructions for the Windows Task Scheduler.
Researchers at Kaspersky lab have identified a family of modular Android malware “Loapi”, capable of mining Monero, inundating users with advertisements, automatically subscribing the user to paid services, and participating in DDoS attacks, among other functions.
Loapi, the malicious software, is so power-hungry that it can overheat your battery and fry your phone. Loapi physically broke a test phone used to study the malware within two days of the device being infected with it.
Unethical Practices by companies:
Few companies are deliberately using malwares like coinhive to earn revenue. Coinhive is a java script malware designed to reside on websites and run in browsers of visitors to crunch the calculation that mine Monero.
However, Pirate Bay quickly responded, saying that the in-browser mining was a ‘test’ to see if it could be used to replace the site’s ads, which are often riddled with malware. Whereas Showtime said that they’ve removed the errant code.
Ultimately, users realized that both Pirate Bay and Showtime had employed cryptocurrency mining malware to turn visitors’ computers to cryptocurrency mining systems.
How Trojan harm you:
Cryptomining: The Trojan uses mobile phone’s power to mine Monero coins. Resultantly, the device can heat up after a prolonged operation and battery of the phone ends up baked.
Unwanted ads: Like multiple other malware in the market, Trojan also tries to infect the smartphone with banner and video ads. “This module of the Trojan can also download and install other apps, visit links, and open pages on Facebook, Instagram, and VKontakte—apparently to drive up various ratings,” said Kaspersky.
Paid subscription: The Trojan can sign up for paid subscription by sending secret SMSes. What’s more, all messages (both outgoing and incoming) are immediately deleted.
DDoS attacks: Trojan has a module which can launch a distributed denial of service attacks by requesting HTTP requests from the infected device. For this, it uses a built-in proxy server. DDoS attacks, as the name suggests denies users of any service on the phone and locks them out of it.
Downloading new modules: The most frightening feature is that the Trojan can download new modules to adapt to any new cash-out strategy its creators develop. For example, one day it might transform into ransomware, spyware, or a banking Trojan, said Kaspersky
There have been innumerable attacks to mine cryptocurrencies in the past, few of the prominent attacks are listed below:
- Harvard’s supercomputer cluster Odyssey was used to illicitly mine dogecoins.
- Supercomputers of US National Science agency were used to mine cryptocurrencies.
- In January 2014, Yahoo!’s Java-based advertisement network was compromised, exposing European end users to malvertisements that delivered a bitcoin-mining malware. Experts claim that about 27,000 users were infected per hour.
- The world’s largest oil pipeline operator ‘Transneft’ of Russia had its computer systems affected by mining malware.
- In February 2017, US Federal Reserve’s server was misused to mine bitcoins.
- Global virus attack dubbed as ‘Bad Rabbit’ affected many companies in Russia, Ukraine, Turkey & Germany. The attack demanded 0.05 bitcoin as ransom.
- WannaCry and ExPetr are other notable crypto ware epidemics.
How to avoid
Install no coin: This lightweight, open-source browser extension monitors sites for potential in-browser mining activity and alerts you if anything suspicious occurs. It also allows you to block and whitelist sites. It is available on Chrome, Firefox and Opera.
Be mindful of CPU spikes: Be conscious of your browsing habits and try to identify any sudden lag or system drag that occurs when you load a website. CPU spikes may also be indicated by computer fans speeding up and making more noise than usual, especially on laptops.
Avoid piracy sites: Any site may be hiding malware, but it must be said that piracy sites typically pose a higher risk.
Use an antivirus: A reputable antivirus solution can identify potential threats and remove any traditional mining malware that may infect your system.