The Cryptomining Malware Family
Sivan Nir Mar 29, 2018
Cryptominers have become their own class of malware, growing in popularity as a low-risk, high-reward way for cybercriminals to make an easy crypto-buck. In this post, we’ll look at the members of the cryptomining malware family and their techniques.
Browser-Based Cryptomining Software
CoinHive, Crypto-Loot and JSEcoin allow website owners to legitimately monetize website traffic. Favoring CoinHive, threat actors have used this code on compromised websites, affecting both website owners and visitors.
Hackers have also found ways to circumvent all the downsides of browser-based mining: no user permission is requested, a hidden browser window is left open to continue mining even after the user leaves the compromised site, and the maximum amount of the CPU is used.
Cryptocurrency Wallet Stealers
Next in the cryptomining malware family, the cryptocurrency wallet stealer. This breed of malware includes ComboJack (exploits CVE-2017-8579, delivered via malspam and phishing), CryptoShuffler (exploits CVE-2017-8579) and Evrial (a malware-as-a-service). All differ in their supported cryptocurrencies.
Cryptocurrency wallet stealers scan the victim’s clipboard every half second for anything resembling a wallet address of cryptocurrencies. They then replace that address with the attacker’s wallet address, funneling money to the attackers.
Cryptomining malware in the form of dedicated applications has increasingly become a multi-platform threat, being deployed wherever it can generate the highest return on investment. These applications are distributed via phishing attacks, hacked apps, vulnerability exploits or exploit kits (e.g., RIG and Terror).
- Targeting Windows – CoinMiner, Adylkuzz, Smominru, WannaMine, BondNet, Digimine
- Targeting Linux – EternalMiner
- Targeting macOS – Pwnet
- Targeting mobile – BadLepricon, Loapi
- Specifically targeting servers – Jenkins Miner, Ruby Miner, Zealot, miners exploiting vulnerabilities in Oracle Web Logic Servers and PHP’s Network Weathermap plug-in
- Top vulnerabilities being exploited for distribution — SambaCry (CVE-2017-7494), EternalBlue (CVE-2017-0144), CVE-2017-1000353 in Jenkins, CVE-2013-0156 in Ruby on Rails, CVE-2013-2618 in PHP’s Network Weathermap plug-in, CVE-2017-10271 in Oracle Web Logic Servers, CVE-2017-5638 in Apache Struts Jakarta Multipart Parser, CVE-2017-9822 in DotNetNuke (DNN) content management system
Cryptomining-dedicated apps are also getting more sophisticated, using various tricks:
- Persistent — scheduling download tasks
- Exclusive — deleting scheduled tasks of other known cryptominers or killing other cryptominers’ processes
- Evasive — avoiding detection by limiting CPU usage
- Propagative — using Mimikatz and EternalBlue for lateral movement across Windows environments
How to Stay Safe From Cryptomining Malware
- Patch! Many of the vulnerabilities cryptomining malware rely on have available fixes. Patching servers should be given highest priority.
- Block browser-based cryptomining software: This can be done by installing a plugin to warn you when a site is trying to mine, or by blocking the mining domains.
- Don’t get phished: Beware of suspicious emails and don’t click on any suspicious attachments or links.
- Stay vigilant: Always double check the address you’re sending your cryptocurrency to after you paste into your wallet.
- Don’t download from rando sites: Make sure you don’t download mobile apps from any other source than the official app store.
Cryptominers More Lucrative, Lower Risk Than Ransomware: What is cryptomining? What makes it malicious? And why is it becoming the darling of cybercriminals?
Top Malware in 2018 — What to Watch For: Skybox’s new Vulnerability and Threat Trends Report lays out the top malware and points to the trend of hybrid, changeling malware
6 Vulnerabilities to Follow in 2018, According to Skybox Research Lab: Skybox’s new Vulnerability and Threat Trends Report lays out the vulnerabilities to play a major role in 2018’s threat landscape