Blockchain & Cryptocurrency , Endpoint Protection Platforms (EPP) , Endpoint Security

Attackers Shift to Malware-Based Cryptominers

Cryptocurrency Market Slide Makes In-Browser Mining Less Appealing
Attackers Shift to Malware-Based Cryptominers

The rise of virtual currencies such as bitcoin and monero brought new risks to enterprises: attackers who seek to steal computing power in order to enrich themselves.

See Also: Webinar | Passwords: Here Today, Gone Tomorrow? Be Careful What You Wish For.

Although it may seem an offense that could be equated with taking extra pens or copy paper from the office, it can have negative impact: Poorly implemented cryptomining code can hamper a computer's performance.

These kinds of attacks - referred to as cryptojacking - use victim's computers to generate random hashes as part of the proof-of-work transaction systems for virtual currencies in return for a reward payment.

Plus, if the mining code has actually been loaded on an endpoint using a vulnerability or a phishing attack, it could be an entry point for more harmful code.

IBM says it has seen a decline in so-called browser-based cryptojacking attacks. Those occur when attackers, for example, compromise a website and seed malicious JavaScript into a page. When someone visits the page, the JavaScript runs, pilfering computer power for the inglorious job of generating random hashes.

Last year, browser-based mining outpaced the malware-based variety by a ratio of two to one, writes Charles DeBeck, a strategic cyber threat analyst with IBM. But that's changing. Instead, it appears that threat actors favor trying to install mining code on computers.

"As our data shows, browser-based cryptojacking was big in 2018," DeBeck writes. "But as we moved into 2019, our data started showing a decline in that type of attack and a return to malware-based cryptojacking. A number of factors could be contributing to this shift."

Profitability Falls

IBM as well as other security companies have noticed that cryptojacking efforts have tapered as the value of virtual currencies has fallen. Since December 2017, when bitcoin peaked at around $20,000 per coin, the value of it and other cryptocurrencies has fallen 75 percent or more.

That has curbed the profitability of JavaScript miners. They're beneficial for attackers in that compromising a high-traffic website can mean large numbers of computers are temporarily part of their mining network - as long as the particular web page remains open - but each individual computer is generating virtual currency at a lower cash-out rate.

Browser-based cryptocurrency miners outnumbered malware-based miners last year, but IBM says that is starting to change. (Source: IBM)

At first, such mining efforts escaped scrutiny by endpoint security software, although some vendors have now developed capabilities to notify users when it is happening.

"Since the browser is merely an application on a device, it cannot generate the same computing power as infecting the actual device," DeBeck writes. "As a result, this type of cryptojacking takes much longer to generate each coin, which may be incentivizing threat actors to refocus on malware infections to speed things up."

Another incentive for the move to malware-based mining may be the halt to the Coinhive project. Coinhive's JavaScript code mined the privacy-focused currency monero. It frequently turned up on hacked websites because it could be incorporated by anyone into a website (see: Cryptocurrency Miners Exploit Widespread Drupal Flaw).

The project proved controversial because hackers inserted it into websites without permission. The code was freely available to install, but Coinhive took a 30 percent share of mining rewards even if it was on a hacked site, which some maintained was unethical.

"With Coinhive gone, threat actors would have to go to other script providers," DeBeck writes. "While there are many other providers of the same sort of scripts, the removal of Coinhive could affect the overall ability of the technically unskilled to create web-based cryptojacking attacks."

The Next Stage: Fileless

Most of the tips that IBM has for dealing with malware-based cryptominers are likely already being employed by enterprises. Among those tips: Update intrusion detection and prevention systems with signatures to block cryptojacking scripts and disable JavaScript where feasible.

But if cryptomining proves meddlesome, admins can also restrict outbound calls to known crytomining "pools," the term for groups that combine their mining power and collectively share payouts. Threat intel providers are a source for that data.

IBM's X-Force Intelligence Threat Index

IBM is predicting that cryptomining will evolve. To wit: GhostMiner, which is a fileless miner that resides only in memory.

"It uses PowerShell evasion scripts that allow it to run from memory without leaving any files on the victim's devices," according to IBM's X-Force Intelligence Threat Index 2019, which was released in February. "It contains advanced process-killing functions, executed via PowerShell, to detect and eliminate other coin-mining infections that may be present on the same device, so it can maintain exclusive access to system processing power."

Going fileless and relying on scripts makes defense harder, as it may be possible to evade AV detection, IBM says. This PowerShell approach, often referred to "living off the land" because it doesn't involve the introduction of other code, has proved tough for organizations to defend against, particularly when attackers use this method to laterally move through systems.

"With PowerShell taking on a larger role in adversarial toolsets, its use and abuse is reminiscent of the risk that arose when attackers started relying on JavaScript," according to the report.


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.