Cryptocurrencies have been generating much buzz of late. While some governments are at work to regulate transactions involving them, there are others that want to stop mining activities related to them altogether. We have noted that cybercriminals have been actively engaged in cryptocurrency-mining malware activities, ranging from those that exploit consumer hardware graphics processing units (GPUs) to those that take advantage of users’ mobile devices.
Crime follows the money, as the saying goes, and once again, cybercriminals have acted accordingly. The underground is flooded with so many offerings of cryptocurrency malware that it must be hard for the criminals themselves to determine which is best. This kind of malware, also known as cryptomalware, has a clear goal, which is to make money out of cryptocurrency transactions. This can be achieved through two different methods: stealing cryptocurrency and mining cryptocurrency on victims’ devices surreptitiously (without the victims noticing), a process also known as cryptojacking. In this post, we discuss how these two methods work, and see whether devices connected to the internet of things (IoT), which are relatively underpowered, are being targeted.
How cryptocurrency-mining and cryptocurrency-stealing malware work
Just like ordinary malware, cryptomalware may assume different forms, ranging from client-side web scripts to mobile applications. With the popularity of online services that make the mining process much easier, it’s worth noting that we have seen an increase in web-based, client-side cryptocurrency-mining malware written in JavaScript. This threat is not restricted to computers, though. Roughly any internet-connected device may be part of a mining botnet. Criminals just need the code required to make this happen. And they are already developing it, as you’ll soon see here. The usual cryptocurrency-mining malware modus operandi goes as follows:
- Dropper code runs on the victim’s device without the victim’s permission (as with any other malware), either via scripts or via proper executables. To this end, cybercriminals may attack exposed computer infrastructures, launch phishing scams, or maliciously use such tools as browser extensions, mobile apps, and instant messaging.
- Miner code runs on the victim’s device and starts using its computing power to calculate hashes. At this point, the victim may notice slower performance on the device or, in the case of a computer, noisier fans as the device tries to cool itself.
- The results of the calculations are sent back to the attacker or directly to an online mining pool, either malicious (exclusively set up to support cybercrime) or not. The attacker then converts the results into cryptocurrency.
Cryptocurrency-stealing malware differs from cryptocurrency-mining malware in the following steps:
- The malicious code can look for wallets’ addresses on local storage (text documents, configuration files, and so on) and monitor the device memory, including the clipboard. This way, when the victim copies and pastes a wallet address, the malware can replace it with its own address. This behavior reminds us of the Broban malware that used similar techniques to redirect the destination of payment slips in Brazil in 2015.
- The malware intercepts cryptocurrency transactions. For each transaction, the amount, whatever the value, is directed into the criminals’ wallets without the user noticing it.
Of course, a wide range of other attacks is possible. We have spotted phishing webpages for cryptocurrency exchangers, mixers, and other services (similar to what happens to online banking websites), but we’ll focus on cryptocurrency malware in this publication.
IoT as target of cryptocurrency-mining malware
The computing power of smartphones and IoT devices is much lower than that of servers or even laptops. However, we definitely see criminals creating cryptocurrency-mining malware to infect these devices. An example of it is DroidMiner, advertised in a forum in 2017:
Figure 1. Posting for silent Monero miner for smartphones
In the same forum, another actor offered a Monero miner for routers, available for different architectures. But he was immediately attacked by another member with higher reputation, saying that it wasn’t worth anything, probably in consideration of the processing power of these devices:
Figure 2. Posting for Monero miner for routers
It does seem that cryptocurrency malware is gaining traction as a topic in forums in the cybercriminal underground, with some dedicated to exploring whether compromising connected devices (however underpowered) for financial gain is a plausible venture. Still, it is not as profitable as other criminals may think — at least not yet.
Details on our cryptocurrency-mining malware findings in the underground, including the most targeted cryptocurrencies and advertised malware features, can be found in this research brief.
Protection against cryptocurrency-mining malware
Mining for cryptocurrency is a computationally intensive task that requires significant resources, not to mention high power consumption. Be that as it may, mining does generate money and we do see related activity on stealing the resources of infected machines, significantly affecting their performance and increasing their wear and tear. In fact, cryptocurrency mining was the most detected home network event by the Trend Micro™ Smart Home Network solution in 2017, while cryptocurrency-mining malware gained momentum toward the end of the year as detected by the Trend Micro™ Smart Protection Network™ infrastructure.
The adverse impact to affected devices makes cryptocurrency-mining malware a credible threat. To mitigate the risks, we recommend these best practices to users:
- Regularly update devices with their latest firmware to prevent attackers from taking advantage of vulnerabilities to get into systems.
- Change devices’ default credentials to avoid unauthorized access.
- Employ intrusion detection and prevention systems to deter malicious attempts.
- Be wary of known attack vectors, such as socially engineered links, attachments, and files from suspicious websites, dubious third-party applications, and unsolicited emails.
Users can also consider adopting security solutions that can provide protection from various iterations of cryptocurrency-mining malware through a cross-generational blend of threat defense techniques. Trend Micro™ XGen™ security provides high-fidelity machine learning that can secure the gateway and endpoint, and protect physical, virtual, and cloud workloads. With technologies that employ web/URL filtering, behavioral analysis, and custom sandboxing, XGen security offers protection against ever-changing threats that bypass traditional controls and exploit known and unknown vulnerabilities. XGen security also powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.