The Aim of cryptojacking is to use victims’ machines to mine crypto on behalf of the hacker. There are two main ways to do this, 1) infecting a computer with the malware in the traditional way and keeping a persistent bit of software on the machine or 2) the ‘drive by’ approach of embedding javascript in a web page that uses the visitors computing power while they are on the page.
A large EU water utility system was discovered to be compromised whereby someone had been mining on their large computers. Interestingly, these ‘drive by’ attacks don’t only just target powerful PCs they can also be done on mobile devices and can keep using your computing power even after you leave the page. Phones don’t have much computational power, but the hackers aim in this instance is quantity. Lots of small processors really add up.
Cryptojacking is hugely prevalent because it is easy to get money with less risk than ransomware and a more consistent payout. It can be used to target any machine with an internet connection and the more undetectable nature of good crypto jacking software may never be noticeable to a user who’s not paying close attention. Often the symptoms lead them to believe that their device is just getting old.
Some good examples of this malware are below. As can be seen in the examples there is a lot of variety in the way they function and have a lot of different features and even compete against each other
WannaMine – using the same lateral movement techniques as WannaCry but instead of the payload being ransomware, it is a Monero miner. WannaMine keeps persistence on host machines by using a WMI event.
MIRUS- This virus attacks machines by prepending malicious code on to files already on the system. This malicious code searches for HTML and HTM files already on the system and adds java cript that calls out to CoinHive and then runs coinhive.min.js to mine going to a wallet specified in the javacsript code.
GhostMiner - another Monero miner but this one is fileless. This advanced malware uses Powershell scripts from various frameworks, like Out-Compressed DLL and Invoke-Reflective PE Injection to achieve its fileless execution. This malware works by running 3 powershell scripts. The script that runs first is named nitro.ps1 tries to brute force any passwords on the system to gain access. The next script to run is called WMI.ps1. This predictably archives persistence by using WMI objects. It also downloads and runs 2 payloads. The first payload, Killer, looks kill off any other miners on the infected machine. It checks for lists of services, scheduled tasks, and command-line arguments that are commonly seen in commands invoking miners. It will search for processes that establish TCP connections, usually used by Cryptominers to communicate with mining pools and popular miner executables. After doing this it starts running its own miner. The final Powershell script is WMI64.ps1. It’s the same as WMI.ps1 but for 64-bit systems. The wallet associated with this malware only had a small amount of crypto in it this could be down to the fact the access gaining methods are relatively primitive compared to the rest of the malware.
Xbash – This malware is developed from Python code, and it combines ransomware, mining, command and control, as well as self-propagation techniques. This malware targets Linux machines, typically larger servers, and runs one of two different scripts depending on whether root privileges exist. Both scripts start by looking for competing crypto miners and killing any that it finds. It then attempts to spread and and installs a crypto miner.
CoinHive/CryptoLoot – These are borderline Malware as a Service as they allow cryptominers to be placed on websites and then take a cut of the web page visitor mined currency. The Pirate bay experimented with this as an alternative to online ads to monetize their site. Some charities use this service but disclose it to the users. Sites that this monetization model fit are sites that have a long interaction time with the user but minimal clicks, for example video streaming sites. Coin hive takes 30% of coins and crypto loot takes 12%.
Attacks on Routers – Hackers don’t just target desktop and laptops. There is a whole lot of infrastructure in the middle. Routers are often approached with an ‘out of sight, out of mind’ mentally that leaves them unpatched and vulnerable to exploitation through vulnerabilities or by default credentials. Because routers are usually between the end user and the webpage they are attempting to browse to, router malware can perform various techniques to inject cryptomining scripts into webpages or redirect users to phishing pages.
Recommendations:
Always make sure you change the default admin passwords on your routers, as well as disabling any “remote management” options if you are a home user.
Apply firmware upgrades to your router at least every month. Go to your router manufacturers website for instructions on how to perform this. Typically, it should take less time than your morning coffee to upgrade and will help ensure that you don’t fall victim to these sorts of attacks.
Ensure you have powerful, up to date Endpoint Detection and Response (EDR) like CrowdStrike’s Falcon to ensure that these breaches are stopped dead in the tracks.