Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:48 PM
Connect Directly

Microsoft Report Details Different Forms of Cryptominers

A new report explores different ways legitimate and malicious coin miners are appearing in the enterprise.

The future of digital currencies may be ambiguous, but their effect on cybercrime is crystal-clear. Cryptocurrencies have changed criminals' motivation and the nature of cyberattacks.

As consumers explored the new frontier of digital wealth, so too have cybercriminals and malware developers. Both the anonymity and sharp value increase of cryptocurrency appeal to threat actors, who have most notably used Bitcoin to extort funds from ransomware victims.

Criminal activity related to cryptocurrency has driven a surge in different forms of cryptocurrency miners, otherwise known as cryptominers or coin miners. Microsoft's Alden Pornasdoro, Michael Johnson, and Eric Avena, all with the Windows Defender Research team, have published a new report on the rise of various coin miners and their enterprise presence.

"Mining is the process of running complex mathematical calculations necessary to maintain the blockchain ledger," the researchers explain. It's not malicious, but it does require hefty computing resources to generate coins. Many people and businesses invest in the equipment to legitimately do it. Some people don’t want to make this infrastructure investment, and instead explore ways to use coin mining code to tap into the computing resources of somebody else’s devices.

For cybercriminals, this is a chance to build coin miners and use them nefariously. The researchers' report digs into the details of coin mining malware, web-based mining scripts, and legitimate but unauthorized cryptomining applications, and how they are deployed and used.

Trojanized coin miners

Oftentimes, cybercriminals change existing cryptominers and drop them on target computers using malware, social engineering, and exploits. Between Sept. 2017 and Jan. 2018, an average of 644,000 machines encountered coin mining malware each month, Microsoft states. Some are more sophisticated than others, using exploits or self-distributing malware to spread.

"The vast majority of attacks are financially motivated and based on the return-on-investment for attackers," says Kevin Epstein, vice president of Threat Operations at Proofpoint. As ransomware campaigns have proven less lucrative amid growing consumer awareness, many criminals are turning to cryptominers and integrating coin mining into Trojans to make money.

Exploit kits, once used to mainly deploy banking Trojans and, most recently, ransomware, are now used to spread coin miners. Researchers point to the example of DDE exploits: One sample of the malware is delivered as a malicious Word document that launches a PowerShell script and downloads a Trojanized version of Monero cryptominer XMRig. Some criminals use social engineering: one malicious file called "flashupdate," disguised as Flash Player, also uses an altered version of XMRig. 

Once a coin miner makes its way onto a target machine, it aims to stay there.

"For cryptocurrency miners, persistence is a key element," Microsoft researchers explain. "The longer they stay memory-resident and undetected, the longer they can mine using stolen computer resources." Criminals use scheduled tasks, autostart registry entries, code injection, and other fileless techniques to maintain their presence by evading detection.

Browser-based miners

Some coin-mining scripts are hosted on websites, a trend also known as "cryptojacking" that has increased amid the interest in cryptocurrency. These websites mine coins using the computing power of people who visit. Some sites prompt visitors to run the script; others do not.

To keep people from leaving, some of these malicious sites host video streams. Researchers have also found tech support scam sites that double as coin miners. Visitors are distracted with pop-ups and stay on the site as criminals mine coins in the background.

Legitimate miners, illegitimate use

A growing enterprise problem is the presence of legitimate but unauthorized coin miners that people use in business environments because they don't want to use their resources at home. These drive energy consumption and costs, and are tougher for security teams to detect because they don't arrive through traditional infection vectors.

Microsoft reports in 2018, Windows enterprise users running potentially unwanted application (PUA) protection saw coin miners on more than 1,800 enterprise machines. The number is expected to increase as organizations keep a closer eye out for these programs.

PUAs are different from Trojanized miners, which are considered malware, and "unwanted software," which are considered harmful because they change Windows without users' control. PUA protection, enabled by default in the System Center Configuration Manager, can be configured by security admins with PowerShell cmdlets or Microsoft Intune.

Windows Defender antivirus blocks PUAs when users attempt to install programs meeting certain conditions, researchers explain. These mostly include software bundling programs, browser modifiers, and programs with poor reputations. They increasingly include coin miners, which made up 2% of PUAs in Sept. 2017 and 6% of PUAs in Jan. 2018.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here#InteropITX 2018 Early Bird Rates Expire March 16. Use Promo Code 200KS to Save an Extra $200.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
3/16/2018 | 9:41:13 AM
Re: Link to Report
Apologies, will update with the link but in the meantime, you can find it here: https://cloudblogs.microsoft.com/microsoftsecure/2018/03/13/invisible-resource-thieves-the-increasing-threat-of-cryptocurrency-miners/
User Rank: Apprentice
3/16/2018 | 8:30:08 AM
Link to Report
Disappointed there is no link to the cited Microsoft report.
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly.
PUBLISHED: 2019-12-12
In phpfastcache before 5.1.3, there is a possible object injection vulnerability in cookie driver.
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf ...
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the hostapd 2.6, where an attacker could trigger AP to send IAPP location updates for stations, before the required authentication process has completed. This could lead to different denial of service scenarios, either by causing CAM table att...
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hostapd 2.6 connected clients with valid 802.11w sessions. By simulating an incomplete new association, an attacker can trigger a deauthentication against stations using 802.11w, resulting in a denial of...