Monero Mining Trojan Analysis - Protect Your Digital Assets From Malicious Cryptojacking
Throughout 2017, the malware threat landscape started shifting away from traditional cyber crime monetization tactics like ransomware and credit card theft toward malicious cryptojacking.
Cryptojacking allows threat actors to steal hardware resources of infected systems to make money for themselves without having to pay for electricity and mining equipment. The popularity of Monero made it the preferred cryptocurrency for hackers to mine illicitly.
1. Power Consumption
As cryptocurrencies gain popularity, malware authors are adapting to their newfound value by adding cryptocurrency mining and stealing capabilities. Monero is a popular choice among these malware variants because it’s known for its privacy and security features.
The cryptocurrency mining process involves solving a math problem in order to validate bitcoin blocks on the blockchain. This requires a lot of computing resources, which is why hackers use cryptojacking malware to steal business and personal computer and device systems’ processing power without the victims’ knowledge. They can then siphon the resulting cryptocurrency into their digital wallets.
While cryptocurrency values are only a third of what they were a year ago, it’s still a lucrative monetization method for cybercriminals. They can run cryptocurrency miners on a victim’s system for as long as they have it, generating untraceable profits.
One of the most troubling malware trends that we’ve seen this year is the proliferation of cryptocurrency miners and stealers. These malicious threats typically enter a network via email, website or infected ads and install cryptojacking scripts that hijack the device’s processing power for mining. As such, they go undetected by antimalware and antivirus software and can remain infecting computers for a prolonged period of time, reducing the lifespan of the hardware. These sneaky malware variants are also capable of stealing sensitive information from an organization’s endpoints.
2. CPU Usage
Cryptocurrencies like Monero (XMR) are attracting cybercriminals due to their unique properties. These include fungibility and anonymity. They also are not subject to the same regulations as traditional currencies, making them ideal for illicit transactions on dark markets such as Silk Road. However, obtaining cryptocurrencies requires expensive mining processes that require specialized hardware.
In order to solve complex math problems that verify blockchain data, miners use computing devices called “computers” or “devices.” The process consumes a great deal of energy, and the device’s processor is constantly operating at full capacity. As a result, the device overheats and its battery drains, resulting in increased costs for users.
Cybercriminals take advantage of the computing power used by devices in order to earn cryptocurrency for them by injecting malware,Download Imtoken Wallet for Android 2.8.3 , or cryptojacking, into their victims’ computers and mobile devices. This malware clandestinely uses the victim’s device to mine crypto, causing depleted computer performance and escalating electricity bills.
For example, a popular cryptojacking attack known as Coinhive embeds code into websites and ads to use the visitor’s CPU power to mine Monero for the attacker’s financial gain. This is accomplished without the viewer’s consent, and goes unnoticed by antivirus solutions. The attacker can earn hundreds of thousands to millions of dollars per attack. This revenue model has become increasingly common and is a growing threat to cybersecurity.
3. Memory Usage
While Bitcoin and other cryptocurrencies have exploded, so have attacks that exploit them. High-profile data breaches and theft have garnered most of the attention, but there’s another threat quietly draining cryptocurrency wallets and exchange platforms: malicious cryptomining.
Criminals are abandoning ransomware and credit card theft in droves to deploy malware that mines cryptocurrencies for them. Researchers have discovered one large botnet mining family alone netting millions of dollars in profits in just six months, and a new breed of innovative cryptojacking tools continues to emerge.
Mining cryptocurrency requires computer power to solve complex algorithms and validate data blocks that are added to a digital information chain known as a blockchain. For their work, miners are rewarded in cryptocurrency coins. It’s a riskier, more resource-intensive endeavor than stealing actual money and only feasible on specialized hardware, but it’s an attractive prospect for cybercriminals seeking a quick profit without putting themselves at any risk.
In fact, some criminals are even choosing to deploy cryptojacking tools that use ordinary CPUs rather than the faster graphics processing units typically used in GPU-based mining. In January 2018, Ars Technica revealed a YouTube video ad that secretly ran Javascript code to mine Monero while users watched. This type of “drive-by” cryptojacking doesn’t ask for permission, and the software keeps running after a victim leaves the site.
4. Network Usage
As cryptocurrencies gained popularity, bad actors took advantage of cryptojacking to steal users’ computers’ processing power without their consent. In cryptojacking, a piece of malware uses a user’s CPU to mine cryptocurrencies such as Monero.
The cryptocoin mining process involves solving complex math problems that validate blockchain transactions. Solving these problems requires a large amount of computing resources and consumes a lot of electricity. In order to earn a reward for their work, miners must join pools of computing resources, known as mining pools, to share the burden of this computational work. The cryptocurrency mining ecosystem is complex and has become a popular target for threat actors looking to monetize their attacks. This is why cybercriminals have shifted away from ransomware and credit card theft and toward malicious cryptocurrency mining.
Last year, malware such as the Coinhive script became increasingly popular among bad actors for generating untraceable profit through illegal Monero mining. The script embeds itself in a web page or an ad, using the computer’s CPU power to mine coins while the user is unaware of it. It has even been used by legitimate publishers such as gaming sites to avoid the cost of advertising, making it difficult for antivirus software to detect.
A comprehensive detection strategy for cryptojacking includes network traffic analytics (NTA), which identifies internal hosts communicating results of mining work to external servers. NTA should also monitor for CPU usage spikes that are associated with cryptojacking and for devices overheating, which is a sign that mining scripts are running on the device.