Enslaved As Miner Against Your Will? Recent Malware Attacks May Have Your Systems Mining Crypto Without Your Knowledge
In the past few months, HLC has been noting a decided uptick in one type of malware: crypto currency mining. While our solutions have prevented these infections, the malware is often embedded into .png picture files, making it appear all the more innocuous to the user who is inadvertently infected.
Since the introduction of Bitcoin in 2009, the popularity and adoption of cryptocurrencies as an asset class has grown at a rapid pace. Once reserved for black market activity, hobbyists, mathematicians, and computer geeks, cryptocurrency is now becoming a global topic of interest with a market capitalization of ~$400 billion and continuing to rise with Initial Coin Offerings (ICO) to further fund the development of projects related to cryptocurrencies. Unfortunately, the anonymity provided by digital currencies has become quickly abused for illegal extortion, as was the case during the various ransomware outbreaks we’ve witnessed in the last few years. As the value of cryptocurrencies has increased significantly, a new kind of threat has become mainstream and replaced ransomware extortion: cryptocurrency mining malware. Malware creators target outside computing power because the price of a dedicated cryptocurrency mining machine easily exceeds thousands of dollars. The emergence of cryptocurrencies that can be mined by average computers has attracted malware creators and has contributed to the widespread abuse we are witnessing globally.
What Is Crypto Mining and How Do You Get Infected?
Cryptocurrency mining is a record-keeping service that is done using computer processing power. Transactions are recorded in blockchains, which function as a public ledger. The consistency and completeness of the blockchain is maintained in an unalterable state by miners, who repeatedly verify and collect newly broadcast transactions, called blocks. Cryptocurrency mining malware comes in many forms, for many different operating system and application platforms, but the common theme among all of them is threat actors leveraging the computing power of as many compromised devices to maximize cryptocurrency mining profitability. It is critically important for the malware creator that the cryptocurrency mining malware infects as many systems as possible, to control a larger pool of CPU resources for mining. Let’s investigate the numerous common malware delivery methods for cryptocurrency mining.
The Wannacry ransomware, a highly publicized malware, exploits the leaked EternalBlue and DoublePulsar vulnerabilities and was modified to by different malware groups to leverage the same vulnerabilities to infect hundreds of thousands of Windows servers with a cryptocurrency miner, ultimately generating millions of dollars in revenue. Other vulnerabilities, such as a flaw with Oracle’s WebLogic Server (CVE-2017-10271), were also used to deliver miners onto servers at universities and research institutions. Servers are a favorite among malware creators because they offer the highest hash rate to solve the mathematical operations required by cryptomining. Existing malware families like Trickbot, which is distributed via malicious spam attachments, added a cryptocurrency miner module to its payload. Another commonly used malware delivery method is fake software patches for highly publicized vulnerabilities such as Spectre and Meltdown. The favorite malware group is SmokeLoader and cryptocurrency miners have become the most commonly installed malware payloads.
Indicators of Compromise: Identifying Infection
There are 3 common IoC (Indicators of Compromise) on every infected victim’s device.
First, for cryptocurrency mining to occur, the malware runs background processes on the infected host that results in the significant over-usage of its resources, and subsequently its performance slows down significantly. Common symptoms are an overheating system due to constant CPU & GPU over usage, drastic system performance degradation, and hardware malfunction. Open a resource monitor on your computer to check if CPU usage is abnormally high; on a Mac that’s Activity Monitor, and on Windows it’s Task Manager. Additionally, the worst part is that there is no residual file, also known as fileless malware, meaning it is very difficult to detect and impossible for standard signature based anti-malware software. What is fileless malware? Just as the name suggests, fileless malware is a variant of a malicious code which affects your system without leaving an installed file on the victim’ s device. Fileless malware is written directly into the device’s working memory, RAM. You may think a simple reboot will remove the malware, however, the malware code is also injected into commonly running processes such as service.exe, chrome.exe, to sustain life after each reboot.
Second, in order to achieve maximum profitability mining cryptocurrency, malware must connect to a C&C (command & control) server to download the cryptocurrency mining software and execute without leaving a file. Most importantly, the malware must add the compromised host to a mining pool network. This abnormal network traffic is a common identification method to confirm you’re a victim of cryptocurrency mining malware. All mining software must be able to connect to either the cryptocurrency network or a mining pool to exchange data, in other words its proof-of-work. Without this connection, it cannot get the data it needs to generate hashes, rendering it useless. Malware creators will add network rules to block the ports associated with exploited vulnerability to close the proverbial door behind it for other potential attacks. This is done to keep the infected system to itself and close it off to any other malware targeting the same vulnerability. Not only are malware creators mischievous, but apparently greedy.
Third, websites have become the biggest culprits of cryptocurrency mining campaigns, specifically CoinHive and its derivatives. Coinhive is a cryptocurrency mining service that relies on a small chunk of computer code designed to be installed on Web sites. The code utilizes all of the computing power of any browser that visits the site in question, enlisting the machine in a bid to mine cryptocurrency. Coinhive is pitched as a way for website owners to earn an income without running intrusive or annoying advertisements. However, Coinhive’s code has emerged as the top malware threat because the code is installed on victimized websites. If you surf to a particular website without additional browser tabs, no other applications running and notice a huge spike in CPU usage while on that website, then it is likely running a cryptocurrency mining campaign such as CoinHive unbenounced to its visitors. Commonly, cryptocurrency mining malware will automate and force the visitation of these particular websites in foreground and background browser tabs to generate cryptocurrency revenue.
By now, you’ve learned that cryptocurrency mining malware is something you want to avoid. How do you avoid infection? And what should you do upon learning you’re infected?
You didn’t think you would make it through this article without yet another reference to common sense, right? As previously described, the numerous methods for cryptocurrency mining malware center around making careless mistake such as installing trojanized mobile apps via your App Store of choice, Apple App Store or Google Play, opening an attachment with malicious malware, or surfing to a website with malicious code installed. Since no one reading this is going to be happy with the gratuitous common sense takeaway, here some other simple steps to take if you’d like additional protection to ward off pesky cryptocurrency mining malware:
First, avoid mobile apps with low or limited app reviews. Apple has an extensive mobile app review process, but trojanized apps still find a way through the process as we saw with the XcodeGhost malware that was installed in over 4000 mobile apps. Review the mobile app developer’s logo and profile to confirm the legitimate mobile app you’re about to download is not merely a copy of a legitimate app with malware added by a malicious actor. This practice is more prevalent on Google Play because of the open source policy and developer freedom that Android practices, which results is less oversight of mobile app distribution.
Second, install a trusted browser-based extension to detect CoinHive website code. Common Chrome browser extensions to block CoinHive code are Miner Dectector, Coin-Hive Blocker and No Coin. These browser blockers review a website’s code and alert an end user that CoinHive and other common cryptocurrency mining code has been detected/blocked. Similarly, to malware mobile apps, ensure that the browser extension you are installing is indeed not a knock off of a trusted browser extension because there are always malware creators are looking for any method to get you to make that careless mistake.
Third, while your standard anti-virus software is rendered useless against fileless cryptocurrency mining malware, it can protect you against the necessary network traffic to participate in a cryptocurrency mining pool. Large anti-virus software companies have the scalable resources to identify and research cryptocurrency mining campaigns and thusly, are constantly updating their host firewall rules to ensure that network traffic to aforementioned command and control cryptocurrency mining servers is blocked. This feature eliminates the need for users to tediously monitor cryptocurrency mining pools and update their hosts file to redirect network traffic to those C&C servers.
As we’ve discussed, cryptocurrency mining malware has gone mainstream and will only continue to increase in deployment and proliferation thanks in large part to cryptocurrencies’ values and the inability to confidently detect. As we face this increasing threat, we must remain vigilant in proactive steps taken to avoid and remediate cryptocurrency mining malware. Those steps require previously discussed common sense steps combined with relying on a trusted provider like HLC to help you navigate pre and post malware infection troubles. That powerful combination is necessary in the continued escalating battle against cryptocurrency mining malware and other emerging malware types.