Defending Systems Against Cryptocurrency Miner Malware
Defending Systems Against Cryptocurrency Miner Malware
A look into cryptocurrencies' state and how cybercriminals abuse miner malware to profit at the expense of legitimate businesses, how to find signs of infection, and recommendations to defend systems from its abuse.
Cryptocurrencies gained recognition as a legitimate currency for the purchase of goods and services because of their perceived anonymity when used and the online market’s speculation of their value. And with the proliferation of internet-connected mobile devices, online transactions using these currencies are expected to increase in popularity and use.
Unfortunately, it has also gained notoriety mostly because of the way cybercriminals cash in on its growing value and popularity.
Cryptocurrencies and cryptocurrency mining, explained
Cryptocurrency is a digital form of currency. Broken down, it’s an encrypted data string denoting a unit of currency that is organized, monitored, and secured by a peer-to-peer network known as a blockchain. Cryptocurrency transactions are secured, verified, and anonymously executed as millions of computers are simultaneously updated on all trades. Cryptocurrencies have a finite supply available as disclosed by their respective source codes. Despite the number of kinds of cryptocurrencies, this limitation determines the fluctuating capitalization worth and perceived market value of the currencies.
Meanwhile, cryptocurrency mining – or cryptomining – is the process that involves validating user transactions and adding them to the blockchain. Verification is done by solving complex mathematical problems: Find a randomly generated number – a nonce – combined with a generated cryptographic hash to solve the complex equation. Miners are rewarded with cryptocurrency as an incentive for the undertaking. The resource-intensive process involves the use of specialized hardware such as application-specific integrated circuits (ASICs) because the equations increase in difficulty as more miners solve the problems. Considering this, the profitability of the miner depends on the number of equations that can be solved in the shortest amount of time.
The entire system is decentralized, meaning there are no central banks, governments, or corporate entities overseeing the processes of mining, currency exchange, or transactions. The cryptocurrencies can be collected and kept by users in a personal digital wallet or traded on digital stock exchanges.
As the mining process occurs in the background, infected systems continue to use computing resources unnoticed. The constant load on the infected system’s resources result in overheating units, damaged fans or vents, increase in power and bandwidth usage, slow processing runs, or the sudden overuse of available memory resources in computers and servers. Ultimately, affected enterprise assets will have to be replaced sooner, resulting in disrupted operations and financial losses.
In 2018 and 2019, Trend Micro’s telemetry detected a fluctuation in attacks and infection attempts in a number of countries.
Figure 1. Snapshot of the five countries with the most detected cryptocurrency miner malware infection attempts for 2018 and 2019. Data derived from Trend Micro’s Smart Protection Network’s (SPN) detections.
As mentioned in Trend Micro’s annual security roundup, the sudden increase in cryptocurrency miners in systems — bundled with a number of other malware such as ransomware and botnets — became apparent in attacks against enterprise infrastructures as tools and services became prominent in the underground. Inspired by cryptocurrency’s growth in demand and market value, more criminals explored the possibility of exploiting internet-of-things (IoT) devices to mine cryptocurrency. Despite their limited processing capabilities, the sheer volume of IoT devices can make it worthwhile.
However, the decline in detections for miner malware and attacks in 2019 (as documented in Trend Micro’s midyear security report) does not equate to a loss of interest. Illicit cryptocurrency mining may have simply reached a point of maturity; threat actors are being more selective with their targets, employing more sophisticated routines, and refining attack techniques. Moreover, despite the decreased detection numbers, cryptocurrency miner threats still remain the most detected malware.
Symptoms of a cryptocurrency malware in the system
Cryptocurrency miners require a lot of computing power, which raises some red flags that could indicate an infection. Here are a number of symptoms:
Slower computer performance.
As previously mentioned, cryptocurrency miners use a lot of processing power. This results in abnormally high CPU usage (even when the system shouldn’t be running any resource-intensive tasks), hogging computing resources that legitimate tasks need.
Increase in network traffic, internet usage bandwidth, and computer processing despite normal or minimal use.
The flow of normal internet traffic usually involve message lengths with short incoming requests and long outgoing responses. By comparison, cryptomining’s incoming hash length is short, with longer outgoing results (as it updates the blockchain). A trained user and traffic monitoring teams may observe a spike in upload traffic even during expected office downtimes such as a weekend or holiday.
Unusual increase in server activity.
Cybercriminals can inject malicious code into websites or online ads to run miners on visitor’s systems. These scripts are automatically executed, even without user prompts or interactions. Enterprises with their own websites connected to physical in-house or cloud servers can observe a sudden activity in specific pages of their respective websites, even in pages that do not normally require long standby periods.
Cybercriminals will continue attacking and infecting systems with cryptocurrency miner malware, with some bundling it with other malware to make an infection more profitable. Additionally, given the anonymity that it affords, cryptocurrency miner malware is expected to remain among cybercriminals’ more preferred tools for making a profit.
Here are a few best practices for defending your systems from malware:
Regularly update devices’ software and firmware as vendors release patches. Malicious actors can exploit vulnerabilities to install unknown components, codes, or commands in devices.
Be wary of unknown URLs, embedded links and ads, attachments, and emails from unknown senders, especially with redundant requests for information, urgency, or insistence on immediate action. Double-check websites before logging in or signing up with sensitive information as these can be used against you with social engineering techniques, luring victims even after an initial attack.
Enable multifactor authentication (MFA) on all online accounts and platforms whenever they are available, and bookmark frequently visited websites to ensure legitimacy.
Apply network segmentation. Implementing separate networks in the enterprise for specific purposes can minimize the effects of a compromise.
If actively using trading platforms, refrain or avoid using the trading platform account as a wallet for cryptocurrencies; a compromise on the platform can lead to a compromise of the wallet, the user’s information, and the cryptocurrencies stored. Consider using a hardware wallet for your assets, and consider using multiple trading platforms. Make sure to read through the terms and conditions of the trading platform/s before creating an account, especially for the users’ and platforms’ accountability in the event of a compromise.
Companies still using legacy systems and end-of-life products should pay attention to emergency patches released by vendors, especially for critical and important vulnerabilities. Legitimate virtual patches and hotfixes are also released by security vendors.
Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect threats that may exploit vulnerabilities even without an engine or pattern update.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).