7 Cryptominers & Cryptomining Botnets You Can't Ignore
Cryptominers have emerged as a major threat to organizations worldwide. Here are seven you cannot afford to ignore.
February 21, 2018
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltb09348dcedc4ab0c/64f0d9695694092fa58492a7/01-cryptotrends.jpg?width=700&auto=webp&quality=80&disable=upscale)
Cryptocurrency mining has emerged as the new big threat for organizations worldwide.
Many cybercriminals, looking to cash in on the crypto-craze, have begun hijacking computers and using their resources secretly to mine for cryptocurrencies.
One tactic has been to install miners for popular cryptocurrencies—especially Monero—on host systems and add them to massive cryptomining botnets. Another common tactic has been to embed mining tools in websites and secretly use the computing resources of visitors to these sites to mine for Monero and other digital currencies. Research released by Imperva Tuesday also reported that 88% of all remote code execution attacks in December 2017 drove targets to cryptomining malware download sites.
The trend has impacted individuals and business severely. Vendors have reported numerous businesses suffering major operational disruptions as a result of mining tools being installed on servers and other business systems. In a report this week, Check Point Software Technologies estimated that a staggering 23% of organizations worldwide appear to have been impacted by the Coinhive mining tool alone. The company's list of top 10 malware threats for January 2018 includes three cryptomining tools.
Here, in no particular order, are seven of the most prolific cryptocurrency miners and botnets currently plaguing users globally.
The Smominru Monero mining botnet is comprised of over 520,000 Windows hosts, most of which are servers. The operators of the botnet have been exploiting the NSA's leaked EternalBlue exploit to infect systems worldwide with the Smominru miner and make them part of the botnet, according to security vendor Proofpoint, the first to discover the botnet.
At the end of January 2018, the operation had already mined some 8,900 Monero, valued at the time at upwards of $2.8 million. Proofpoint at the time estimated the botnet was mining approximately 24 Monero worth about $8,500 daily. Because many of the infected systems are servers, the potential performance impact for affected businesses is high, Proofpoint has noted.
WannaMine, discovered by Panda Security in October is another of the many miners for Monero. Panda has described it as particularly troubling, due to the manner in which it tries to max out use of the processor and RAM of infected systems.
Crowdstrike has described it as being designed to propagate effectively within corporate networks by using the Mimikatz credential harvester to acquire credentials for moving laterally within a network. If that fails, WannaMine tries to spread to other systems using the NSA's EternalBlue exploit.
Adylkuzz attracted considerable attention last May for being one of the first malware tools after WannaCry to use the NSA's EternalBlue and Double Pulsar exploits to spread. Like many other crypto tools, Adylkuzz is a Monero miner. One noteworthy feature about the malware is its ability to shut down all SMB communications on infected systems to prevent other malware from being loaded upon them.
Proofpoint estimated the malware was distributed on hundreds of thousands of systems worldwide. According to Proofpoint, Adylkuzz may have been larger in scale even than WannaCry in terms of infected systems.
JSECoin is a Coinhive-like JavaScript miner that gives site owners a way to earn revenue by embedding a cryptominer on their websites. Like Coinhive, JSECoins are mined when users visit websites that have the miner embedded in them. But unlike the former, JSECoin limits CPU usage to between 15% and 25% of maximum and always displays a privacy notice with an opt-out link for users, according to Adguard. Even so, Check Point this month has put the miner in its list of 10 most-wanted malware tools.
Bondnet is a cryptocurrency botnet that is being used to mine for different digital currencies. The botnet consists of upwards of 15,000 servers of varying power, according to GuardiCore, which first reported on it last May. The botnet's victims include global companies, city governments, universities, and public institutions, the vendor has noted.
The operators of the botnet have tended to use a variety of publicly known exploits to break into Windows servers and install a Windows Management Interface Trojan for communication with a remote command-and-control server. GuardiCore has noted the botnet can be easily repurposed to launch DDoS attacks.
Researchers at F5 Networks have described PyCrypto Miner as a Python-based botnet that has largely been flying under the radar for sometime.
The Linux-based crypto-miner botnet is spreading over the SSH protocol and is being used to mine for Monero. As of late December, the operators of the botnet appeared to have made at least $46,000 mining for the cryptocurrency.
One noteworthy feature of PyCryptoMiner is its use of Pastebin.com to publish and communicate new command-and-control server addresses if the original server is taken down or becomes unavailable for some reason, according to F5. As of mid-Decmber, the malware has acquired new functionality for scanning for vulnerable JBoss systems.
Image Source: bbernard via Shutterstock
Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.
Researchers at F5 Networks have described PyCrypto Miner as a Python-based botnet that has largely been flying under the radar for sometime.
The Linux-based crypto-miner botnet is spreading over the SSH protocol and is being used to mine for Monero. As of late December, the operators of the botnet appeared to have made at least $46,000 mining for the cryptocurrency.
One noteworthy feature of PyCryptoMiner is its use of Pastebin.com to publish and communicate new command-and-control server addresses if the original server is taken down or becomes unavailable for some reason, according to F5. As of mid-Decmber, the malware has acquired new functionality for scanning for vulnerable JBoss systems.
Image Source: bbernard via Shutterstock
Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.
Cryptocurrency mining has emerged as the new big threat for organizations worldwide.
Many cybercriminals, looking to cash in on the crypto-craze, have begun hijacking computers and using their resources secretly to mine for cryptocurrencies.
One tactic has been to install miners for popular cryptocurrencies—especially Monero—on host systems and add them to massive cryptomining botnets. Another common tactic has been to embed mining tools in websites and secretly use the computing resources of visitors to these sites to mine for Monero and other digital currencies. Research released by Imperva Tuesday also reported that 88% of all remote code execution attacks in December 2017 drove targets to cryptomining malware download sites.
The trend has impacted individuals and business severely. Vendors have reported numerous businesses suffering major operational disruptions as a result of mining tools being installed on servers and other business systems. In a report this week, Check Point Software Technologies estimated that a staggering 23% of organizations worldwide appear to have been impacted by the Coinhive mining tool alone. The company's list of top 10 malware threats for January 2018 includes three cryptomining tools.
Here, in no particular order, are seven of the most prolific cryptocurrency miners and botnets currently plaguing users globally.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024