Cybercriminals are always on the lookout for clever ways to turn new technology into money-making opportunities. Cryptojacking is one of their latest innovations
What is cryptojacking?
Cryptojacking is the unauthorized use of an individual or organization’s computer to secretly mine for cryptocurrency.
Cybercriminals are always on the lookout for clever ways to turn new technology into money-making opportunities. Cryptojacking is one of their latest innovations.
In late October, cybersecurity company Webroot included cryptojackers in its list of the nastiest malware of 2019, and described it as “low-risk, guaranteed money that’s less ‘malicious’ than ransomware”.
Although fairly recent, cryptojacking has already evolved into a complex threat model, coming in various flavors and targeting different types of physical and virtual devices.
A primer on cryptocurrency mining (‘crypto-mining’)
Most cryptocurrencies, including bitcoin and ether, use a mechanism called “mining” to maintain the integrity and security of the blockchain, the distributed ledger that keeps track of their payments.
Every time a new block of transactions is added to the blockchain, a network of computers called ‘miners’ validate the data by solving complex mathematical problems.
After the registration of every new block, an amount of new cryptocurrency is created and awarded to the miner that solved the validation equation first.
In the past years, cryptocurrency mining (or ‘crypto-mining’) has become a lucrative business. Dedicated crypto-mining farms consist of large arrays of powerful computers to compete for cryptocurrency rewards and rake in billions of dollars every year.
Naturally, the evolution of cryptocurrency mining has also drawn the interest of malicious hackers and given rise to cryptojacking.
Most cryptocurrencies make use of crypto-mining to ensure the integrity and security of the blockchain
How does cryptojacking work?
Cryptojacking works by secretly using your computer’s resources to mine cryptocurrencies for the hackers who control them.
This malware-based crypto-mining technique has emerged in the past couple of years, in parallel to the rise in popularity of cryptocurrencies.
In a nutshell, a cryptojacker is malicious software that hijacks your computer’s CPU to perform cryptocurrency mining calculations and grab the rewards.
Cryptojacker developers consolidate resources from network infected computers to create large, powerful mining pools.
Cryptojacking works by secretly using your computer’s resources to mine for cryptocurrency
What’s the benefit of cryptojacking?
Traditional cryptocurrency mining farms spend most of their revenue on hardware costs and electricity bills. Cryptojackers transfer all those costs to the owners of the infected computers.
There are a handful of companies that have turned cryptojacking into an official, legitimate business. But for the most part, cryptojacking remains an illicit activity, conducted through the spread of malware and shady browser scripts, allowing cybercriminals to sit back and watch the cryptocurrency roll in.
When did cryptojacking first appear?
“Cryptojacking came out of the woodwork in late 2017 when bitcoin was surging,” Tyler Moffitt, cryptojacking researcher at Webroot, told The Daily Swig.
Browser-based crypto-mining was supposed to be an alternative to displaying ads. It required the consent of both the site owner and the visitors.
Soon after its release, Coinhive’s code started appearing on thousands of websites. But in most cases, neither the owners of the sites nor the visitors knew of the existence of cryptojacking code on the website.
The scripts were embedded by hackers who were exploiting vulnerabilities in the targeted websites to secretly drain the resources of visitors’ devices and mine cryptocurrency for their own cryptocurrency wallets.
Coinhive shut down its service in March this year, but its scripts and replicas of its software remain in use.
“Bad press along with decreased profitability made it an easy choice for Coinhive to quit operations. However, there are plenty of copycat cryptojacking service providers still operational right now,” Moffitt says.
How popular is cryptojacking?
While the general decline in the value of cryptocurrencies has had a huge impact on traditional cryptocurrency mining operations, illicit cryptojacking is largely immune to cryptocurrency price fluctuations.
“This type of malware practically runs itself and the return on investment for attackers is still great. When your cost to run a mining botnet approaches zero, small price swings don't affect you,” Ophir Harpaz, security researcher at Guardicore, told The Daily Swig.
“As long as cryptocurrency (bitcoin) is worth something then these types of attacks will continue,” Moffitt adds.
How much money is in cryptojacking?
Since cryptojacking is used to mine privacy-oriented coins, it is very difficult to calculate the precise income of these operations globally.
On one hand, a large-scale campaign that resulted in cryptojacking malware being installed on tens of thousands of servers was estimated to be generating $10,000 per day.
Conversely, a “huge cryptojacking campaign” that turned more than 4,000 websites into covert crypto-miners was said to have netted the hackers just $24.
How to prevent cryptojacking
- Install an ad-blocker. Most will prevent cryptojacking scripts
- Keep systems updated
- Organizations can block URL/IPs of infected cryptojacking sites and domains of crypto-mining pools
- Implement network system monitoring to detect excessive resource utilization
- Educate end users on signs of infection
Cryptojacking, bitcoin and other privacy-oriented coins
Although bitcoin has picked up fame as a currency of choice for criminals, it is not anonymous, and authorities can trace payments as they move across different wallets.
That’s why hackers run most of their cryptojacking campaigns on Monero (XMR), a currency that is known for its privacy features and hidden payments.
Monero’s mining mechanism also makes it suitable for cryptojacking. The mining of bitcoin and ether have been monopolized by companies running expensive mining rigs with specialized ASIC processors, which makes it impossible for general computing devices to compete for mining rewards.
In contrast, Monero uses an ASIC-resistant mining algorithm, making it perfect for the kind of devices infected with cryptojacking malware.
“Monero can be mined profitably with consumer-grade CPUs. And consumer-grade laptops and desktops are exactly the types of target for criminals,” Moffitt says, adding that mining on victims’ hardware is not limited to Windows machines.
“It basically works on any device with a chip and an IP address. Phones, gaming consoles, and smart IoT devices can all mine cryptocurrency, even if their computing power is abysmal and will only make pennies a day.”
The evolution of cryptojacking attacks
Browser-based cryptojacking has declined in the past year, but other forms of crypto-mining malware have emerged.
“We mostly see crypto-miners spread as executable files that run right on top of the operating system. The attacks we observe start when a vulnerable server gets breached. Once an attacker gains access (by brute force, vulnerability exploitation, etc.), they can practically run anything they want on the machine,” Guardicore’s Harpaz says.
In May, Guardicore revealed a large cryptojacking campaign run by Chinese hackers, which exploited poor configurations in MS-SQL and phpMyAdmin servers to infect 50,000 computers with cryptojacking malware. The malware used several techniques to pose itself as legitimate software and evade endpoint security tools.
“It seems that crypto-mining malware is evolving in its sophistication. Attackers are trying to better hide and better protect their payloads on the infected systems,” Harpaz notes.
For instance, Guardicore researchers have observed attackers tune their cryptojacking malware to only use partial resources of infected machines instead of occupying 100% CPU power. The attackers also hide their malicious payloads in seemingly legitimate processes and use kernel-mode code to prevent suspicious users from terminating the malware.
Another case in August saw security software vendor Avast help French and US authorities bring down the Retadup worm, which had infected 850,000 Windows machines to run the XMRig crypto-miner software.
Retadup used fileless techniques to avoid detection by security software. To avoid arousing suspicion, the worm suspended its operation whenever the user opened the Task Manager.
A cryptojacker discovered by Malwarebytes in June also manifested equally sophisticated behavior. Targeted at MacOS computers and codenamed Bird Miner, the malware suspended its mining whenever Activity Monitor was running. It ran the crypto-miner in a Linux emulator to further complicate discovery.
More recently, cryptojacking has found its way into Docker containers. As reported by The Daily Swig in October, the Graboid cryptojacking worm spread to 2,000 unsecured Docker hosts before being neutralized.
How do I protect against cryptojacking?
While cryptojackers use various sophisticated techniques to hide their activities, they gain their foothold through old tactics, such as targeting unpatched and vulnerable systems.
“Attackers are increasingly taking advantage of exploits in various software, web-based applications and Linux/IoT based devices to deploy cryptojacking code,” Adam Thomas, threat researcher at Malwarebytes, says to The Daily Swig.
“Ensure your systems are kept up to date and run reputable security software.”
For end users, most ad-blockers will do a good job of preventing cryptojacking scripts from running on their browsers.
For organizations, Webroot’s Moffit recommends blocking URL/IPs of the sites infected with cryptojacking scripts and the domains of crypto-mining pools at the company level.
“There are a whole bunch of domains out there and will likely only grow, but blocking the big pools is a good idea. If no communication can be made to these servers, then the miners simply won’t mine,” he says.
Thomas also recommends using network system monitoring to detect excessive resource utilization and educating end users to be aware of the signs of infection.
“For cryptojackers, compute power is money. Be on the lookout for resource usage spikes, unexpected network connections, and irregular activity, and set up a monitoring solution that can quickly spot lurking malware that has breached the firewall,” Guardicore’s Harpaz adds.
“Cryptojackers are the craftiest of cybercriminals. Security teams need to be just as clever to outsmart them.”