Due to the growing popularity and market value (at the time of writing!) of cryptocurrencies, it is no surprise that there has been a surge in the number of malicious attacks using cryptominers.
In its latest report into ‘Cybercrime tactics and techniques: 2017 state of malware’, Malwarebytes claims to have blocked an average of 8 million drive-by mining attempts from websites and visitors all over the world.
Read about the threat posed by drive-by mining in this research paper exploring the 2017 cybercrime trends and predictions for 2018.
Predictably, this technology was immediately abused by webmasters that ran it silently, therefore exploiting the visitor’s CPU for their own gain. Eventually, criminals also took note and started compromising websites with cryptomining code. This means that the system resources of unsuspecting victims can be harnessed without authorisation in order to mine cryptocurrency.
The most popular currency for drive-by mining in 2017 is Monero, most likely due to the higher speed with which transactions are processed, even of small amounts. Criminals also benefit from the anonymity automatically incorporated into the Monero blockchain, and the fact that the mining algorithm doesn’t favour specialised chips.
Popular attack methods
PUP wrappers: Several bundlers and PUP wrappers have been found to install miners, and they appear to be replacing adware as a payment method. IStartSurf, a PUP well known for its browser hijackers, has started to include miners in its silent installs.
Exploit kits and malvertising: The payload of the RIG exploit kit now includes cryptominers. Even the EternalBlue exploit (of WannaCry fame) was used to spread a miner that used Windows Management Instrumentation for a fileless, persistent infection.
Malicious spam: Cryptocurrencies are easy pickings for spammers. They often use Bitcoin value fluctuations as a means for phishing, while sending out cryptominers or installers for these miners as malspam.
Social engineering: This is an increasingly popular method of attack used for drive-by mining. Some campaigns are run by convincing people they need to install a new font, when in fact they are being served a cryptominer. Some miners are also being offered as cracked versions of popular software.
Bitcoin wallet theft: Banking Trojans have expanded their working field into stealing cryptocurrencies right out of people’s virtual wallets. Coinbase is a cryptowallet that trades in several cryptocurrencies, including Bitcoin. A Trickbot variant was spotted that includes the Coinbase exchange to steal credentials from the sites it monitors.
Learn about the latest research into cryptocurrency mining and other threats in this report from Malwarebytes on ‘Cybercrime tactics and techniques: 2017 state of malware’.
Other Trojans have been spotted that steal cryptocurrencies on the fly, including one that monitors a user’s clipboard. As soon as it spots the address of a cryptocurrency wallet on the clipboard, it replaces the address with that of the threat actor.
Attacks like this can be virtually impossible to detect, and few people would expect something they had just copied to change before being pasted into an address bar.
It is likely that as cryptocurrency fever continues, drive-by mining will evolve as new mining platforms are utilised – such as Android and IoT devices – and new forms of malware are developed to mine and steal cryptocurrency.