Cryptomining Malware: A Growing Epidemic

Cryptomining Malware: A Growing Epidemic

by February 13, 2019

Cryptocurrency malware isn’t a new term in the recent past. Cryptojacking has ballooned in popularity among cybercriminals since last year, despite a bearish market.

Cryptomining malware or cryptojacking is hidden software that infects victims’ devices with JavaScript code, harnessing their processing power to mine cryptocurrencies and thus generating revenue. A recent report from cybersecurity giant Kaspersky Labs revealed that a single cryptocurrency mining botnet can net cyber criminals more than $30,000 per month.

That said, Apple Mac computers have become recent victim to crypto malwares. A recently discovered malware dubbed “CookieMiner,” is found to steal browser cookies and other data and information on victims’ Apple Mac computers in order to steal cryptocurrencies.

According to a report released by researchers at cybersecurity firm Palo Alto Networks, “CookieMiner tries to navigate past the authentication process by stealing a combination of the login credentials, text messages, and web cookies.” The malicious code tries to target crypto exchanges such as Binance, Coinbase, Poloniex, Bittrex, and those websites having “blockchain” in its domain name.On top of that CookieMiner targets credit card information from AmEx, Mastercard, Visa, among others, along with saved passwords in Chrome, crypto wallet keys, etc.

Another form of malware has been discovered for the first time in an app on Google Play store. Dubbed “clipper,” the malware replaces victims’ cryptocurrency wallet addresses with addresses owned by the attacker.

Reported last week, the app was discovered by security firm ESET that impersonates MetaMask, a service that provides access to decentralized ethereum applications. Clipper targets MetaMask users to steal their credentials in order to access their ethereum funds.

Such recent attacks emphasize the need for organizations and companies to put measures in place in order to counter the increasing threat of crypto malware miners.

The Prevalence of Crypto Malwares

A recent report from security vendor Check Point revealed that cryptominers have infected 10 times more organizations than ransomware, last year. While crypto malware is increasing multi-fold, only one in five IT security professionals are aware about their company’s network being infected by mining malware, the report stated.

It further said that 37 percent of organizations globally were hit by cryptominers last year and 2 percent of companies globally continue to be hit by cryptomining attacks every week.

Numerous other reports point out the recent alarming increase in cryptomining. Unauthorized crypto mining has become so prevalent that over 500 million users are mining cryptocurrencies on their devices without realizing it, says ad blocking firm AdGuard.

Yet another report from McAfee Labs published that cryptojacking malware activity rose by over 4000 percent in 2018. The company earlier said that cryptojacking rose by a staggering 629 percent in the first quarter of 2018 alone.

While most cryptojacking and crypto mining malwares target laptops and desktops, others target smartphones and tablets to mine cryptocurrency. One such powerful cryptomining malware programs dubbed Loapi, hijacks android smartphone’s processor to mine cryptocurrency and it is so intense that it can overheat-up the phone’s battery, thus damaging it physically.

In addition to malware, cybercriminals have also turned to browser-based cryptocurrency mining to generate revenue through cryptocurrency mining. One such software program is CoinHive that works by tapping the processing power of visitors’ computers to mine monero. Following CoinHive are Jsecoin, a JavaScript miner that can be embedded into websites and runs directly in the browser, and Cryptoloot, a CoinHive alternative.

Maya Horowitz, threat intelligence and research manager at Check Point said, “The diversity of the malware in the Index means that it is critical that enterprises employ a multi-layered cybersecurity strategy that protects against both established malware families and brand new threats.”

Monero is so far the most popular cryptocurrency among hackers, though. Hackers have mined close to 5 percent of total monero in circulation, a recent study says. This is because, Monero are easy to execute and cheap to run, which means hackers can pull a good deal of profit. Also, it is easy for hackers to hide their identity when illicitly mining Monero tokens (XMR).

“Cybercriminals prefer XMR because of one thing: it’s confidential and crypto jackers don’t need to focus on organizations and authorities that follow what they do with a coin after its excavation. Secondly: Monero uses the Proof-of-Work calculation, the CPU is the same as for the GPU, therefore, damaged PCs are economical. These two aspects are progressive features, so hackers prefer to mine Monero rather than different digital currencies,” said Justin Ehrenhofer, the head of the malware response team at Monero.

The evolution of these infections indicates that attackers find cryptominers, an effective opportunity and will continue to use them in their payloads.

Best Practices

The researchers at Palo Alto Networks suggested that crypto users should have an eye on their “security settings and digital assets to prevent compromise and leakage.”

Several such attacks are being monitored as a part of efforts to combat it. Last October, Google announced new restrictions on Chrome Web Store extensions that likely affected cryptojackers. The search engine giant said that Chrome extensions submitted to the Web Store would not be permitted if they contained “obfuscated” code.

While there was no specific references to any particular form of extension, Google’s decision comes in the wake of increasing surreptitious use of extensions to mine cryptocurrencies.

Mozilla is now implementing code to block cryptomining and fingerprinting on the Firefox browser. According to a report, Mozilla will add the blocking option to the Custom settings of the Content Blocking feature. Upon clicking cryptominers from the options, will display all sites that are currently being detected.

Given these improvements, cryptomining malware remains as a serious threat to companies and individuals that users need to protect their systems from. Falling victim to such malicious attacks and paying ramsomware would definitely encourage attackers to continue grabbing more victims. In order to combat, researchers and experts highly recommend to install a security solution that can detect such threats. Backing-up important documents and files is also a good practice as to not lose them when such attacks occur.