The Cryptomining Malware Family

Sivan Nir Mar 29, 2018

Cryptominers have become their own class of malware, growing in popularity as a low-risk, high-reward way for cybercriminals to make an easy crypto-buck. In this post, we’ll look at the members of the cryptomining malware family and their techniques.

Browser-Based Cryptomining Software

CoinHive, Crypto-Loot and JSEcoin allow website owners to legitimately monetize website traffic. Favoring CoinHive, threat actors have used this code on compromised websites, affecting both website owners and visitors.

Hackers have also found ways to circumvent all the downsides of browser-based mining: no user permission is requested, a hidden browser window is left open to continue mining even after the user leaves the compromised site, and the maximum amount of the CPU is used.

Cryptocurrency Wallet Stealers

Next in the cryptomining malware family, the cryptocurrency wallet stealer. This breed of malware includes ComboJack (exploits CVE-2017-8579, delivered via malspam and phishing), CryptoShuffler (exploits CVE-2017-8579) and Evrial (a malware-as-a-service). All differ in their supported cryptocurrencies.

Cryptocurrency wallet stealers scan the victim’s clipboard every half second for anything resembling a wallet address of cryptocurrencies. They then replace that address with the attacker’s wallet address, funneling money to the attackers.

Cryptominer-Dedicated Applications

Cryptomining malware in the form of dedicated applications has increasingly become a multi-platform threat, being deployed wherever it can generate the highest return on investment. These applications are distributed via phishing attacks, hacked apps, vulnerability exploits or exploit kits (e.g., RIG and Terror).

Examples include:

  • Targeting Windows – CoinMiner, Adylkuzz, Smominru, WannaMine, BondNet, Digimine
  • Targeting Linux – EternalMiner
  • Targeting macOS – Pwnet
  • Targeting mobile – BadLepricon, Loapi
  • Specifically targeting servers – Jenkins Miner, Ruby Miner, Zealot, miners exploiting vulnerabilities in Oracle Web Logic Servers and PHP’s Network Weathermap plug-in
  • Top vulnerabilities being exploited for distribution — SambaCry (CVE-2017-7494), EternalBlue (CVE-2017-0144), CVE-2017-1000353 in Jenkins, CVE-2013-0156 in Ruby on Rails, CVE-2013-2618 in PHP’s Network Weathermap plug-in, CVE-2017-10271 in Oracle Web Logic Servers, CVE-2017-5638 in Apache Struts Jakarta Multipart Parser, CVE-2017-9822 in DotNetNuke (DNN) content management system

Cryptomining-dedicated apps are also getting more sophisticated, using various tricks:

  • Persistent — scheduling download tasks
  • Exclusive — deleting scheduled tasks of other known cryptominers or killing other cryptominers’ processes
  • Evasive — avoiding detection by limiting CPU usage
  • Propagative — using Mimikatz and EternalBlue for lateral movement across Windows environments

How to Stay Safe From Cryptomining Malware

  • Patch! Many of the vulnerabilities cryptomining malware rely on have available fixes. Patching servers should be given highest priority.
  • Block browser-based cryptomining software: This can be done by installing a plugin to warn you when a site is trying to mine, or by blocking the mining domains.
  • Don’t get phished: Beware of suspicious emails and don’t click on any suspicious attachments or links.
  • Stay vigilant: Always double check the address you’re sending your cryptocurrency to after you paste into your wallet.
  • Don’t download from rando sites: Make sure you don’t download mobile apps from any other source than the official app store.

Related Posts

Cryptominers More Lucrative, Lower Risk Than Ransomware: What is cryptomining? What makes it malicious? And why is it becoming the darling of cybercriminals?

Top Malware in 2018 — What to Watch For: Skybox’s new Vulnerability and Threat Trends Report lays out the top malware and points to the trend of hybrid, changeling malware

6 Vulnerabilities to Follow in 2018, According to Skybox Research Lab: Skybox’s new Vulnerability and Threat Trends Report lays out the vulnerabilities to play a major role in 2018’s threat landscape

Sivan Nir is a senior analyst in the Skybox Research Lab, a team of dedicated vulnerability researchers who aggregate and analyze vulnerability data from more than 30 public and private vulnerability data sources. Sivan has more than 10 years’ experience  in business intelligence data analysis. Sivan holds an MBA and a bachelor’s degree in Biotechnology Engineering.

Recent Posts

What’s new in the Skybox Security version 11.5 release
Read More
Cryptomining is hottest new malware type, research reveals
Read More
Three ways to modernize your OT security programs
Read More
How to manage third-party cyber risk in banking and financial services
Read More
Vulnerability and Threat Trends Report highlights the importance of cyber exposure analysis that goes beyond CVSS rating
Read More
Skybox 2021 Vulnerability and Threat Trends mid-year report
Read More