Cryptocurrencies continue to make headlines, and generally for all the wrong reasons. As cryptocurrency continues to fluctuate in value, we are seeing a plethora of new cryptocurrency malware emerging. This is reflective of the evolution of modern malware, with variants attacking computer systems globally, hijacking them to mine cryptocurrencies and capitalizing on the victim’s resources. Crypto-malware is literally making money.
It is no surprise that crypto-malware has been proliferating, as digital currencies provide a level of anonymity and are rather profitable. It is, however, probably the worst of all malware. This new age of crypto-jacking malware simply uses the end user’s device to mine cryptocurrency when they visit an infected site.
More websites are adopting cryptocurrency mining through visitors instead of running ads to fund their businesses. Recently, the popular torrent site The Pirate Bay ran a bitcoin-miner as an alternative to ads to generate funds for the business. This new income-generating scheme caused users’ central processing units (CPUs) and electricity usages to skyrocket while degrading the performance of their device. Coincidentally, advertising revenue is dropping significantly.
If you have not heard of bitcoin, then you must be living under a rock. Undoubtedly the most famous cryptocurrency, it is generated by “mining.” By mining, I mean a computationally intensive task that utilizes a lot of energy and processing power for verifying transactions. Successful miners are rewarded with a “coin,” which is added to a digital wallet — or, in the case of crypto jacking, to the digital wallet belonging to the hackers. For the first time, malware can directly “print money” for criminals.
On its own, a personal computer would not be powerful enough to profitably mine cryptocurrencies — the operative word being “profitably.” Mining done properly requires specialized rigs composed of specialized hardware and lots of electricity. Note that there are different cryptocurrency algorithms, some of which are more intense and require more computing power than others.
How Does This Happen?
However, Malwarebytes researcher Jerome Segura recently uncovered a simple technique that allows the mining to continue even after the window has been closed. The trick lies in creating a pop-up hidden window, sized to fit right under the taskbar, hiding it from the user’s view. These crypto miners tap into the computer’s resources, putting them to work mining cryptocurrency. Unfortunately, while user hardware and electricity is being used to generate money for these entities, users get none of it. Instead, they get a degradation in computer performance and components.
This has been a long-voiced concern for so-called third-party software. Many organizations permit application programming interfaces (APIs) and other plugins into their systems and/or environments. Coupled with the delivery of such software via libraries, it means the plugins can be tampered with or replaced with infected software. Any organization should have a focus on checking and validating the use of plugins and third-party software as a prudent approach to managing digital risk.
A number of protective mechanisms exist that can be deployed to manage the spread of cryptocurrency miners, but the best option right now is to block known mining domains. An even better option that does require some effort is to add these sites to the host file of the operating system so that these domains redirect to localhost, effectively blackholing the script.
While web browsers are incorporating anti-cryptocurrency capabilities, most common browsers do not detect or block crypto miners. However, some anti-malware and antivirus programs can detect and block crypto-jacking code when users visit a webpage. Installing ad-blocking, anti-crypto-mining extensions on web browsers can be effective in stopping such scripts from running. The key here is to use a highly regarded and maintained provider to ensure that it is regularly updated and does not evolve into an adware nightmare. The “No Coin” extension is available for Firefox, Chrome and Opera, but sadly not for Microsoft and Apple. Ad-blocking extension Adblock Plus also has some capability to detect crypto mining-scripts.
It is important to note that cryptocurrency-mining malware employs the same modus operandi as many other cyber threats: They all exploit vulnerabilities, including everything from malware-laden spam emails to third-party junkware or tampered plugins. For example, Adylkuzz leverages the EternalBlue exploit and DoublePulsar backdoor — the same security flaw that the WannaCry ransomware used to much destructive effect. At the same time, CPUMiner uses SambaCry, the Linux sequel to WannaCry, exploiting a vulnerability in Samba, an open-source network application.
Earlier, I mentioned that a reasonable explanation for why some sites may be using a cryptocurrency miner is to generate revenue. It certainly is an interesting trade-off to all the ads and banners that some sites bombard visitors with. Ideally, the website would inform the visitor that a miner was running and allow the user to make an informed decision. After all, no one likes being taken advantage of. It is just a matter of time before these miners get weaponized and utilized for more nefarious purposes beyond just generating revenue. There are similarities to the earlier days of spam, which steadily grew with the addition of more malicious attachments.