The future of digital currencies may be ambiguous, but their effect on cybercrime is crystal-clear. Cryptocurrencies have changed criminals' motivation and the nature of cyberattacks.
As consumers explored the new frontier of digital wealth, so too have cybercriminals and malware developers. Both the anonymity and sharp value increase of cryptocurrency appeal to threat actors, who have most notably used Bitcoin to extort funds from ransomware victims.
Criminal activity related to cryptocurrency has driven a surge in different forms of cryptocurrency miners, otherwise known as cryptominers or coin miners. Microsoft's Alden Pornasdoro, Michael Johnson, and Eric Avena, all with the Windows Defender Research team, have published a new report on the rise of various coin miners and their enterprise presence.
"Mining is the process of running complex mathematical calculations necessary to maintain the blockchain ledger," the researchers explain. It's not malicious, but it does require hefty computing resources to generate coins. Many people and businesses invest in the equipment to legitimately do it. Some people don’t want to make this infrastructure investment, and instead explore ways to use coin mining code to tap into the computing resources of somebody else’s devices.
For cybercriminals, this is a chance to build coin miners and use them nefariously. The researchers' report digs into the details of coin mining malware, web-based mining scripts, and legitimate but unauthorized cryptomining applications, and how they are deployed and used.
Trojanized coin miners
Oftentimes, cybercriminals change existing cryptominers and drop them on target computers using malware, social engineering, and exploits. Between Sept. 2017 and Jan. 2018, an average of 644,000 machines encountered coin mining malware each month, Microsoft states. Some are more sophisticated than others, using exploits or self-distributing malware to spread.
"The vast majority of attacks are financially motivated and based on the return-on-investment for attackers," says Kevin Epstein, vice president of Threat Operations at Proofpoint. As ransomware campaigns have proven less lucrative amid growing consumer awareness, many criminals are turning to cryptominers and integrating coin mining into Trojans to make money.
Exploit kits, once used to mainly deploy banking Trojans and, most recently, ransomware, are now used to spread coin miners. Researchers point to the example of DDE exploits: One sample of the malware is delivered as a malicious Word document that launches a PowerShell script and downloads a Trojanized version of Monero cryptominer XMRig. Some criminals use social engineering: one malicious file called "flashupdate," disguised as Flash Player, also uses an altered version of XMRig.
Once a coin miner makes its way onto a target machine, it aims to stay there.
"For cryptocurrency miners, persistence is a key element," Microsoft researchers explain. "The longer they stay memory-resident and undetected, the longer they can mine using stolen computer resources." Criminals use scheduled tasks, autostart registry entries, code injection, and other fileless techniques to maintain their presence by evading detection.
Some coin-mining scripts are hosted on websites, a trend also known as "cryptojacking" that has increased amid the interest in cryptocurrency. These websites mine coins using the computing power of people who visit. Some sites prompt visitors to run the script; others do not.
To keep people from leaving, some of these malicious sites host video streams. Researchers have also found tech support scam sites that double as coin miners. Visitors are distracted with pop-ups and stay on the site as criminals mine coins in the background.
Legitimate miners, illegitimate use
A growing enterprise problem is the presence of legitimate but unauthorized coin miners that people use in business environments because they don't want to use their resources at home. These drive energy consumption and costs, and are tougher for security teams to detect because they don't arrive through traditional infection vectors.
Microsoft reports in 2018, Windows enterprise users running potentially unwanted application (PUA) protection saw coin miners on more than 1,800 enterprise machines. The number is expected to increase as organizations keep a closer eye out for these programs.
PUAs are different from Trojanized miners, which are considered malware, and "unwanted software," which are considered harmful because they change Windows without users' control. PUA protection, enabled by default in the System Center Configuration Manager, can be configured by security admins with PowerShell cmdlets or Microsoft Intune.
Windows Defender antivirus blocks PUAs when users attempt to install programs meeting certain conditions, researchers explain. These mostly include software bundling programs, browser modifiers, and programs with poor reputations. They increasingly include coin miners, which made up 2% of PUAs in Sept. 2017 and 6% of PUAs in Jan. 2018.
Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. #InteropITX 2018 Early Bird Rates Expire March 16. Use Promo Code 200KS to Save an Extra $200.