Cyber criminals tend to favor cryptocurrencies because they provide
a certain level of anonymity and can be easily monetized. This href="https://www.fireeye.com/blog/threat-research/2018/04/cryptocurrencies-cyber-crime-blockchain-infrastructure-use.html">interest
has increased in recent years, stemming far beyond the desire to
simply use cryptocurrencies as a method of payment for illicit tools
and services. Many actors have also attempted to capitalize on the
growing popularity of cryptocurrencies, and subsequent rising price,
by conducting various operations aimed at them. These operations
include malicious cryptocurrency mining (also referred to as
cryptojacking), the collection of cryptocurrency wallet credentials,
extortion activity, and the targeting of cryptocurrency exchanges.
This blog post discusses the various trends that we have been
observing related to cryptojacking activity, including cryptojacking
modules being added to popular malware families, an increase in
drive-by cryptomining attacks, the use of mobile apps containing
cryptojacking code, cryptojacking as a threat to critical
infrastructure, and observed distribution mechanisms.
As transactions occur on a blockchain, those transactions must be
validated and propagated across the network. As computers connected to
the blockchain network (aka nodes) validate and propagate the
transactions across the network, the miners include those transactions
into "blocks" so that they can be added onto the chain. Each
block is cryptographically hashed, and must include the hash of the
previous block, thus forming the "chain" in blockchain. In
order for miners to compute the complex hashing of each valid block,
they must use a machine's computational resources. The more blocks
that are mined, the more resource-intensive solving the hash becomes.
To overcome this, and accelerate the mining process, many miners will
join collections of computers called "pools" that work
together to calculate the block hashes. The more computational
resources a pool harnesses, the greater the pool's chance of mining a
new block. When a new block is mined, the pool's participants are
rewarded with coins. Figure 1 illustrates the roles miners play in the
blockchain network.
Figure 1: The role of miners
FireEye iSIGHT Intelligence has identified eCrime actor interest in
cryptocurrency mining-related topics dating back to at least 2009
within underground communities. Keywords that yielded significant
volumes include miner, cryptonight, stratum, xmrig, and cpuminer.
While searches for certain keywords fail to provide context, the
frequency of these cryptocurrency mining-related keywords shows a
sharp increase in conversations beginning in 2017 (Figure 2). It is
probable that at least a subset of actors prefer cryptojacking over
other types of financially motivated operations due to the perception
that it does not attract as much attention from law enforcement.
Figure 2: Underground keyword mentions
The majority of recent cryptojacking operations have overwhelmingly
focused on mining Monero, an open-source cryptocurrency based on the
CryptoNote protocol, as a fork of Bytecoin. Unlike many
cryptocurrencies, Monero uses a unique technology called "ring
signatures," which shuffles users' public keys to eliminate the
possibility of identifying a particular user, ensuring it is
untraceable. Monero also employs a protocol that generates multiple,
unique single-use addresses that can only be associated with the
payment recipient and are unfeasible to be revealed through blockchain
analysis, ensuring that Monero transactions are unable to be linked
while also being cryptographically secure.
The Monero blockchain also uses what's called a
"memory-hard" hashing algorithm called CryptoNight and,
unlike Bitcoin's SHA-256 algorithm, it deters application-specific
integrated circuit (ASIC) chip mining. This feature is critical to the
Monero developers and allows for CPU mining to remain feasible and
profitable. Due to these inherent privacy-focused features and
CPU-mining profitability, Monero has become an attractive option for
cyber criminals.
Because most miner utilities are small, open-sourced tools, many
criminals rely on crypters. Crypters are tools that employ encryption,
obfuscation, and code manipulation techniques to keep their tools and
malware fully undetectable (FUD). Table 1 highlights some of the most
commonly repurposed Monero miner utilities.
|
XMR-STACK |
MINERGATE |
XMRMINER |
CCMINER |
XMRIG |
CLAYMORE |
SGMINER |
CAST XMR |
LUKMINER |
CPUMINER-MULTI |
Table 1: Commonly used Monero miner utilities
The following are sample advertisements for miner utilities commonly
observed in underground forums and markets. Advertisements typically
range from stand-alone miner utilities to those bundled with other
functions, such as credential harvesters, remote administration tool
(RAT) behavior, USB spreaders, and distributed denial-of-service
(DDoS) capabilities.
In early April 2018, actor "Mon£y" was observed by FireEye
iSIGHT Intelligence selling a Monero miner for $80 USD – payable via
Bitcoin, Bitcoin Cash, Ether, Litecoin, or Monero – that included
unlimited builds, free automatic updates, and 24/7 support. The tool,
dubbed Monero Madness (Figure 3), featured a setting called Madness
Mode that configures the miner to only run when the infected machine
is idle for at least 60 seconds. This allows the miner to work at its
full potential without running the risk of being identified by the
user. According to the actor, Monero Madness also provides the
following features:
Figure 3: Monero Madness
Figure 4: Monero Madness builder
In March 2018, FireEye iSIGHT Intelligence observed actor
"kent9876" advertising a Monero cryptocurrency miner called
Goldig Miner (Figure 5). The actor requested payment of $23 USD for
either CPU or GPU build or $50 USD for both. Payments could be made
with Bitcoin, Ether, Litecoin, Dash, or PayPal. The miner ostensibly
offers the following features:
Figure 5: Goldig Miner advertisement
In March 2018, FireEye iSIGHT Intelligence observed actor
"TH3FR3D" offering a tool dubbed Felix (Figure 6) that
combines a cryptocurrency miner and credential stealer. The actor
requested payment of $50 USD payable via Bitcoin or Ether. According
to the advertisement, the Felix tool boasted the following features:
Figure 6: Felix HTTP
In January 2018, FireEye iSIGHT Intelligence observed actor
"ups" selling a miner for any Cryptonight-based
cryptocurrency (e.g., Monero and Dashcoin) for either Linux or Windows
operating systems. In addition to being a miner, the tool allegedly
provides local privilege escalation through the href="https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-032">CVE-2016-0099
exploit, can download and execute remote files, and receive commands.
Buyers could purchase the Windows or Linux tool for €200 EUR, or €325
EUR for both the Linux and Windows builds, payable via Monero,
bitcoin, ether, or dash. According to the actor, the tool offered the following:
Windows Build Specifics
Linux Build Specifics
Figure 7: Miner bot web panel
In August 2017, actor "MeatyBanana" was observed by
FireEye iSIGHT Intelligence selling a Monero miner utility that
included the ability to download and execute files and perform DDoS
attacks. The actor offered the software for $30 USD, payable via
Bitcoin. Ostensibly, the tool works with CPUs only and offers the
following features:
The presence of mining software on a network can generate costs on
three fronts as the miner surreptitiously allocates resources:
Cryptojacking targets computer processing power, which can lead to
high CPU load and degraded performance. In extreme cases, CPU overload
may even cause the operating system to crash. Infected machines may
also attempt to infect neighboring machines and therefore generate
large amounts of traffic that can overload victims' computer networks.
In the case of operational technology (OT) networks, the
consequences could be severe. Supervisory control and data
acquisition/industrial control systems (SCADA/ICS) environments
predominately rely on decades-old hardware and low-bandwidth networks,
therefore even a slight increase in CPU load or the network could
leave industrial infrastructures unresponsive, impeding operators from
interacting with the controlled process in real-time.
The electricity cost, measured in kilowatt hour (kWh), is dependent
upon several factors: how often the malicious miner software is
configured to run, how many threads it's configured to use while
running, and the number of machines mining on the victim's network.
The cost per kWh is also highly variable and depends on geolocation.
For example, security researchers who ran Coinhive on a machine for 24
hours found that the electrical consumption was 1.212kWh. They
estimated that this equated to electrical costs per month of $10.50
USD in the United States, $5.45 USD in Singapore, and $12.30 USD in Germany.
Cryptojacking can also highlight often overlooked security holes in
a company's network. Organizations infected with cryptomining malware
are also likely vulnerable to more severe exploits and attacks,
ranging from ransomware to ICS-specific malware such as TRITON.
In order to maximize profits, cyber criminals widely disseminate
their miners using various techniques such as incorporating
cryptojacking modules into existing botnets, drive-by cryptomining
attacks, the use of mobile apps containing cryptojacking code, and
distributing cryptojacking utilities via spam and self-propagating
utilities. Threat actors can use cryptojacking to affect numerous
devices and secretly siphon their computing power. Some of the most
commonly observed devices targeted by these cryptojacking schemes are:
Private sector companies and governments alike are increasingly href="https://www.fireeye.com/blog/executive-perspective/2018/04/anatomy-of-a-public-cloud-compromise.html">moving
their data and applications to the cloud, and cyber threat
groups have been moving with them. Recently, there have been various
reports of actors conducting cryptocurrency mining operations
specifically targeting cloud infrastructure. Cloud infrastructure is
increasingly a target for cryptojacking operations because it offers
actors an attack surface with large amounts of processing power in an
environment where CPU usage and electricity costs are already expected
to be high, thus allowing their operations to potentially go
unnoticed. We assess with high confidence that threat actors will
continue to target enterprise cloud networks in efforts to harness
their collective computational resources for the foreseeable future.
The following are some real-world examples of cryptojacking in the cloud:
FireEye iSIGHT Intelligence has observed multiple prominent botnets
such as Dridex and Trickbot incorporate cryptocurrency mining into
their existing operations. Many of these families are modular in
nature and have the ability to download and execute remote files, thus
allowing the operators to easily turn their infections into
cryptojacking bots. While these operations have traditionally been
aimed at credential theft (particularly of banking credentials),
adding mining modules or downloading secondary mining payloads
provides the operators another avenue to generate additional revenue
with little effort. This is especially true in cases where the victims
were deemed unprofitable or have already been exploited in the
original scheme.
The following are some real-world examples of cryptojacking being
incorporated into existing botnets:
FireEye iSIGHT Intelligence has examined various customer reports of
browser-based cryptocurrency mining. Browser-based mining scripts have
been observed on compromised websites, third-party advertising
platforms, and have been legitimately placed on websites by
publishers. While coin mining scripts can be embedded directly into a
webpage's source code, they are frequently loaded from third-party
websites. Identifying and detecting websites that have embedded coin
mining code can be difficult since not all coin mining scripts are
authorized by website publishers, such as in the case of a compromised
website. Further, in cases where coin mining scripts were authorized
by a website owner, they are not always clearly communicated to site
visitors. At the time of reporting, the most popular script being
deployed in the wild is Coinhive. Coinhive is an open-source
JavaScript library that, when loaded on a vulnerable website, can mine
Monero using the site visitor's CPU resources, unbeknownst to the
user, as they browse the site.
The following are some real-world examples of Coinhive being
deployed in the wild:
Figure 8: Statement from TPB operators on
Coinhive script
Malvertisements – malicious ads on legitimate websites – commonly
redirect visitors of a site to an exploit kit landing page. These
landing pages are designed to scan a system for vulnerabilities,
exploit those vulnerabilities, and download and execute malicious code
onto the system. Notably, the malicious advertisements can be placed
on legitimate sites and visitors can become infected with little to no
user interaction. This distribution tactic is commonly used by threat
actors to widely distribute malware and has been employed in various
cryptocurrency mining operations.
The following are some real-world examples of this activity:
In addition to targeting enterprise servers and user machines,
threat actors have also targeted mobile devices for cryptojacking
operations. While this technique is less common, likely due to the
limited processing power afforded by mobile devices, cryptojacking on
mobile devices remains a threat as sustained power consumption can
damage the device and dramatically shorten the battery life. Threat
actors have been observed targeting mobile devices by hosting
malicious cryptojacking apps on popular app stores and through
drive-by malvertising campaigns that identify users of mobile browsers.
The following are some real-world examples of mobile devices being
used for cryptojacking:
FireEye iSIGHT Intelligence has observed several cryptocurrency
miners distributed via spam campaigns, which is a commonly used tactic
to indiscriminately distribute malware. We expect malicious actors
will continue to use this method to disseminate cryptojacking code as
for long as cryptocurrency mining remains profitable.
In late November 2017, FireEye researchers identified a spam
campaign delivering a malicious PDF attachment designed to appear as a
legitimate invoice from the largest port and container service in New
Zealand: Lyttelton Port of Chistchurch (Figure 9). Once opened, the
PDF would launch a PowerShell script that downloaded a Monero miner
from a remote host. The malicious miner connected to the pools
supportxmr.com and nanopool.org.
Figure 9: Sample lure attachment (PDF)
that downloads malicious cryptocurrency miner
Additionally, a massive cryptojacking spam campaign was discovered
by FireEye researchers during January 2018 that was designed to look
like legitimate financial services-related emails. The spam email
directed victims to an infection link that ultimately dropped a
malicious ZIP file onto the victim's machine. Contained within the ZIP
file was a cryptocurrency miner utility (MD5:
80b8a2d705d5b21718a6e6efe531d493) configured to mine Monero and
connect to the minergate.com pool. While each of the spam email lures
and associated ZIP filenames were different, the same cryptocurrency
miner sample was dropped across all observed instances (Table 2).
|
width="420"> |
Table 2: Sampling of observed ZIP filenames
delivering cryptocurrency miner
Following the WannaCry attacks, actors began to increasingly
incorporate self-propagating functionality within their malware. Some
of the observed self-spreading techniques have included copying to
removable drives, brute forcing SSH logins, and leveraging the leaked
NSA exploit href="https://www.fireeye.com/blog/threat-research/2017/05/smb-exploited-wannacry-use-of-eternalblue.html">EternalBlue.
Cryptocurrency mining operations significantly benefit from this
functionality since wider distribution of the malware multiplies the
amount of CPU resources available to them for mining. Consequently, we
expect that additional actors will continue to develop this capability.
The following are some real-world examples of cryptojacking worms:
Another trend worth noting is the use of proxies to avoid detection.
The implementation of mining proxies presents an attractive option for
cyber criminals because it allows them to avoid developer and
commission fees of 30 percent or more. Avoiding the use of common
cryptojacking services such as Coinhive, Cryptloot, and Deepminer, and
instead hosting cryptojacking scripts on actor-controlled
infrastructure, can circumvent many of the common strategies taken to
block this activity via domain or file name blacklisting.
In March 2018, href="https://www.bleepingcomputer.com/news/security/in-browser-cryptojacking-is-getting-harder-to-detect/">Bleeping
Computer reported on the use of cryptojacking proxy servers and
determined that as the use of cryptojacking proxy services increases,
the effectiveness of ad blockers and browser extensions that rely on
blacklists decreases significantly.
Several mining proxy tools can be found on GitHub, such as the href="https://github.com/xmrig/xmrig-proxy">XMRig Proxy tool,
which greatly reduces the number of active pool connections, and the
href="https://github.com/x25/coinhive-stratum-mining-proxy">CoinHive
Stratum Mining Proxy, which uses Coinhive’s JavaScript mining
library to provide an alternative to using official Coinhive scripts
and infrastructure.
In addition to using proxies, actors may also establish their own
self-hosted miner apps, either on private servers or cloud-based
servers that supports Node.js. Although private servers may provide
some benefit over using a commercial mining service, they are still
subject to easy blacklisting and require more operational effort to
maintain. According to href="https://blog.sucuri.net/2018/01/malicious-cryptominers-from-github-part-2.html">Sucuri
researchers, cloud-based servers provide many benefits to actors
looking to host their own mining applications, including:
The combination of proxies and crypto-miners hosted on
actor-controlled cloud infrastructure presents a significant hurdle to
security professionals, as both make cryptojacking operations more
difficult to detect and take down.
Based on data from FireEye detection technologies, the detection of
cryptocurrency miner malware has increased significantly since the
beginning of 2018 (Figure 10), with the most popular mining pools
being minergate and nanopool (Figure 11), and the most heavily
affected country being the U.S. (Figure 12). Consistent with href="https://www.bleepingcomputer.com/news/cryptocurrency/students-mining-cryptocurrencies-are-clogging-up-university-networks/">other
reporting, the education sector remains most affected, likely due
to more relaxed security controls across university networks and
students taking advantage of free electricity to mine cryptocurrencies
(Figure 13).
Figure 10: Cryptocurrency miner detection
activity per month
Figure 11: Commonly observed pools and
associated ports
Figure 12: Top 10 affected countries
Figure 13: Top five affected industries
Figure 14: Top affected industries by country
According to security researchers at Cato Networks, in order for a
miner to participate in pool mining, the infected machine will have to
run native or JavaScript-based code that uses the Stratum protocol
over TCP or HTTP/S. The Stratum protocol uses a publish/subscribe
architecture where clients will send subscription requests to join a
pool and servers will send messages (publish) to its subscribed
clients. These messages are simple, readable, JSON-RPC messages.
Subscription requests will include the following entities: id, method,
and params (Figure 15). A deep packet inspection (DPI) engine can be
configured to look for these parameters in order to block Stratum over
unencrypted TCP.
Figure 15: Stratum subscription request parameters
In the case of JavaScript-based miners running Stratum over HTTPS,
detection is more difficult for DPI engines that do not decrypt TLS
traffic. To mitigate encrypted mining traffic on a network,
organizations may blacklist the IP addresses and domains of popular
mining pools. However, the downside to this is identifying and
updating the blacklist, as locating a reliable and continually updated
list of popular mining pools can prove difficult and time consuming.
Identifying and detecting websites that have embedded coin mining
code can be difficult since not all coin mining scripts are authorized
by website publishers (as in the case of a compromised website).
Further, in cases where coin mining scripts were authorized by a
website owner, they are not always clearly communicated to site visitors.
As defenses evolve to prevent unauthorized coin mining activities,
so will the techniques used by actors; however, blocking some of the
most common indicators that we have observed to date may be effective
in combatting a significant amount of the CPU-draining mining
activities that customers have reported. Generic detection strategies
for browser-based cryptocurrency mining include:
Some of these detection strategies may also be of use in blocking
some mining functionality included in existing financial malware as
well as mining-specific malware families.
It is important to note that JavaScript used in browser-based
cryptojacking activity cannot access files on disk. However, if a host
has inadvertently navigated to a website hosting mining scripts, we
recommend purging cache and other browser data.
In underground communities and marketplaces there has been
significant interest in cryptojacking operations, and numerous
campaigns have been observed and reported by security researchers.
These developments demonstrate the continued upward trend of threat
actors conducting cryptocurrency mining operations, which we expect to
see a continued focus on throughout 2018. Notably, malicious
cryptocurrency mining may be seen as preferable due to the perception
that it does not attract as much attention from law enforcement as
compared to other forms of fraud or theft. Further, victims may not
realize their computer is infected beyond a slowdown in system performance.
Due to its inherent privacy-focused features and CPU-mining
profitability, Monero has become one of the most attractive
cryptocurrency options for cyber criminals. We believe that it will
continue to be threat actors' primary cryptocurrency of choice, so
long as the Monero blockchain maintains privacy-focused standards and
is ASIC-resistant. If in the future the Monero protocol ever
downgrades its security and privacy-focused features, then we assess
with high confidence that threat actors will move to use another
privacy-focused coin as an alternative.
Because of the anonymity associated with the Monero cryptocurrency
and electronic wallets, as well as the availability of numerous
cryptocurrency exchanges and tumblers, attribution of malicious
cryptocurrency mining is very challenging for authorities, and
malicious actors behind such operations typically remain unidentified.
Threat actors will undoubtedly continue to demonstrate high interest
in malicious cryptomining so long as it remains profitable and
relatively low risk.