Why Cryptomining Malware Is a Harbinger of Future Attacks

Crypto thieves rely on users not noticing installation of their tiny payload on thousands of machines, or the CPU cycles being siphoned off to perpetuate the schemes.

In the cult classic film Office Space, a disgruntled employee and his friends decide to install a malicious piece of software on their employer’s computer to skim a fraction of a cent off of each transaction. Their rationale was that rounding up each individual transaction by such a small amount would go completely unnoticed by the bank and its customers, and that over the course of several months or years of stealing pennies from millions of transactions, they could amass a small fortune.

Modern cryptomining malware campaigns operate under a similar model: By installing a small piece of code, typically delivered as a drive-by download on a Web browser, a cybercriminal can quietly siphon off idle CPU cycles and use that processing power to mint an assortment of digital coins, such as Bitcoin (which has become the fiat currency of the digital economy) or any number of exotic alt-coins that have emerged over the past couple of years.

In a similar vein to the hapless crew in Office Space, today’s generation of crypto thieves are counting on users not even noticing that their machines are expending surplus cycles crunching mathematical equations while simultaneously looking to scale their potential earnings by installing their tiny payload on thousands of machines across the globe.

As is the case with practically any economic behavior, it’s all about incentives and deterrents. Weighing heavily on the incentives side of the ledger is the obvious financial reward, which while not as lucrative as other campaigns such as ransomware, carries the added benefit of being practically risk-free, especially since only a handful of individuals have been arrested from these global operations.

With the estimated value of the entire crypto market estimated to now reach $2 trillion in total assets, it’s hardly surprising that threat actors are wielding malicious cryptomining software as the pointed tip of their hacking spear.

Follow the Monero
The role and nature of cryptocurrency itself is of course what has enabled ransomware operators to successfully perpetrate their schemes. Without the benefit of an anonymized currency, the means to monetize these campaigns would vanish.

While Bitcoin continues to be a popular vehicle for operators to secure payment, it’s not as anonymous as many believe it to be since all transactions can be traced to a public blockchain. While there are a variety of ways criminals can make those funds more difficult to track by using tumblers and other obfuscation techniques, the emergence of anonymous-by-design digital currencies such as Monero and zCash provide them with the cloak they need to operate relatively risk free.

The reason why Monero has become the preferred currency for illicit mining can be boiled down to two simple facts. For one, it was designed to run on standard, nonspecialized hardware, making it a prime candidate for installation on unsuspecting systems of users around the world. Second, Monero’s focus on privacy has made it an ideal vehicle for criminal organizations to mask their identity and evade law enforcement, which is why major ransomware operators such as Revil/Sodinokibi have begun offering discounts for victims who remit their payments in Monero.

According to one analysis, 4.4% of all Monero that has been mined is estimated to have been the result of malicious cryptomining operations. While that analysis was conducted in 2019, if that proportion remains true, this would account for a total value in excess of $150 million — a healthy profit that comes with little in the way of consequence.

The Crypto Canary is Calling
Every successful cryptomining campaign shares one common element: A machine in some way has been successfully compromised. While in many cases the compromise might be something seemingly innocuous, it points to a more systemic issue that, if left unchecked, could provide  hackers with the cover they need to execute a more serious attack in the future.

We can think of these cryptomining infections like the ill-fated canary that coal miners would bring down with them into the coal shafts to serve as a primitive early-warning system for toxic air. In a similar fashion, the presence of unauthorized cryptomining software in the network is a clear indicator that your network is communicating with an adversary.

According to security researchers at Microsoft, threat actors are also using Monero cryptojacking campaigns to serve as a decoy for more sophisticated, multipronged attacks. The researchers realized that the operators intentionally designed the campaign to be conspicuous, hoping to distract the incident response team enough to mask their true and more nefarious intentions: A credential theft campaign would provide the group with access to sensitive government systems.

More critically, these groups also have come to realize that if a cryptojacking attack goes undetected for a period of time, it's more likely they will have success seeding a more advanced exploit. And if it fails, at least there is a small profit to be made. According to Malwarebytes, many cryptojacking attacks have “morphed into hijacking everything from Android phones through malicious apps to entire organization networks.”

It’s easy to write off cryptomining malware as a nuisance threat. The fact that many of these installations have been in place sometimes for months or even years should set off alarm bells. But by ignoring it, you could very well be inviting something far more malevolent in the not so distant future.

Editors' Choice
Ericka Chickowski, Contributing Writer, Dark Reading
Lorna Mitchell, Head of Developer Relations, Aiven