Cryptojacking: detection, prevention, and recovery

Criminals are using ransomware-like tactics and poisoned web sites to get your employees’ computers to mine cryptocurrencies. Here’s what you can do to stop it, writes Michael Nadeau
Image: Stockfresh

4 November 2019

Cryptojacking is the unauthorised use of someone else’s computer to mine cryptocurrency. Hackers do this by either getting the victim to click on a malicious link in an email that loads cryptomining code on the computer, or by infecting a web site or online ad with JavaScript code that auto-executes once loaded in the victim’s browser.

Either way, the cryptomining code then works in the background as unsuspecting victims use their computers normally. The only sign they might notice is slower performance or lags in execution.

Cryptojacking popularity

No one knows for certain how much cryptocurrency is mined through cryptojacking, but there’s no question that the practice is rampant. Browser-based cryptojacking grew fast at first, but seems to be tapering off, likely because of cryptocurrency volatility.

In November 2017, Adguard reported a 31% growth rate for in-browser cryptojacking. Its research found 33,000 web sites running cryptomining scripts. Adguard estimated that those sites had a billion combined monthly visitors.

In February 2018, Bad Packets Report found 34,474 sites running Coinhive, the most popular JavaScript miner that is also used for legitimate cryptomining activity. In July 2018, Check Point Software Technologies reported that four of the top ten malware it has found are crypto miners, including the top two: Coinhive and Cryptoloot.

However, Positive Technology’s Cybersecurity Threatscape Q1 2019 report shows that cryptomining now accounts for only 7% of all attacks, down from 23% in early 2018. The report suggests that cybercriminals have shifted more to ransomware, which is seen as more profitable.

“Cryptomining is in its infancy. There’s a lot of room for growth and evolution,” says Marc Laliberte, threat analyst at network security solutions provider WatchGuard Technologies. He notes that Coinhive is easy to deploy and generated $300 thousand in its first month. “It’s grown quite a bit since then. It’s really easy money.”

In January 2018, researchers discovered the Smominru cryptomining botnet, which infected more than a half-million machines, mostly in Russia, India, and Taiwan. The botnet targeted Windows servers to mine Monero, and cybersecurity firm Proofpoint estimated that it had generated as much as $3.6 million (€3.23 million) in value as of the end of January.

Cryptojacking doesn’t even require significant technical skills. According to the report, The New Gold Rush Cryptocurrencies Are the New Frontier of Fraud, from Digital Shadows, cryptojacking kits are available on the dark web for as little as $30 (€27).

The simple reason why cryptojacking is becoming more popular with hackers is more money for less risk. “Hackers see cryptojacking as a cheaper, more profitable alternative to ransomware,” says Alex Vaystikh, CTO and cofounder of SecBI. With ransomware, a hacker might get three people to pay for every 100 computers infected, he explains. With cryptojacking, all 100 of those infected machines work for the hacker to mine cryptocurrency. “[The hacker] might make the same as those three ransomware payments, but cryptomining continuously generates money,” he says.

The risk of being caught and identified is also much less than with ransomware. The cryptomining code runs surreptitiously and can go undetected for a long time. Once discovered, it’s very hard to trace back to the source, and the victims have little incentive to do so since nothing was stolen or encrypted. Hackers tend to prefer anonymous cryptocurrencies like Monero and Zcash over the more popular Bitcoin because it is harder to track the illegal activity back to them.

How it works

Hackers have two primary ways to get a victim’s computer to secretly mine cryptocurrencies. One is to trick victims into loading cryptomining code onto their computers. This is done through phishing-like tactics: Victims receive a legitimate-looking email that encourages them to click on a link. The link runs code that places the cryptomining script on the computer. The script then runs in the background as the victim works.

The other method is to inject a script on a web site or an ad that is delivered to multiple web sites. Once victims visit the web site or the infected ad pops up in their browsers, the script automatically executes. No code is stored on the victims’ computers. Whichever method is used, the code runs complex mathematical problems on the victims’ computers and sends the results to a server that the hacker controls.

Hackers often will use both methods to maximise their return. “Attacks use old malware tricks to deliver more reliable and persistent software [to the victims’ computers] as a fall back,” says Vaystikh. For example, of 100 devices mining cryptocurrencies for a hacker, 10% might be generating income from code on the victims’ machines, while 90% do so through their web browsers.

Unlike most other types of malware, cryptojacking scripts do no damage to computers or victims’ data. They do steal CPU processing resources. For individual users, slower computer performance might be just an annoyance. Organisation with many cryptojacked systems can incur real costs in terms of help desk and IT time spent tracking down performance issues and replacing components or systems in the hope of solving the problem.  

Real-world examples

Cryptojackers are a clever lot, and they’ve devised a number of schemes to get other peoples’ computers to mine cryptocurrency. Most are not new; cryptomining delivery methods are often derived from those used for other types of malware such as ransomware or adware. “You’re starting to see a lot of the traditional things mal-authors have done in the past,” says Travis Farral, director of security strategy at Anomali. “Instead of delivering ransomware or a Trojan, they are retooling that to deliver crypto-mining modules or components.”

Spear-fishing PowerGhost steals Windows credentials

The Cyber Threat Alliance’s (CTA’s) The Illicit Cryptocurrency Mining Threat report describes PowerGhost, first analysed by Fortinet, as stealthy malware that can avoid detection in a number of ways. It first uses spear phishing to gain a foothold on a system, and it then steals Windows credentials and leverages Windows Management Instrumentation and the EternalBlue exploit to spread. It then tries to disable antivirus software and competing cryptominers. 

Graboid, a cryptominder worm spread using containers

In October, Palo Alto Networks released a report describing a cryptojacking botnet with self-spreading capabilities. Graboid, as they named it, is the first known cryptomining worm. It spreads by finding Docker Engine deployments that are exposed to the internet without authentication. Palo Alto Networks estimated that Graboid had infected more than 2,000 Docker deployments.

MinerGate variant suspends execution when victim’s computer is in use

According to the CTA report, Palo Alto Networks has analysed a variant of the MinerGate malware family and found an interesting feature. It can detect mouse movement and suspend mining activities. This avoids tipping off the victim, who might otherwise notice a drop in performance.

BadShell uses Windows processes to do its dirty work

A few months ago, Comodo Cybersecurity found malware on a client’s system that used legitimate Windows processes to mine cryptocurrency. Dubbed BadShell it used:

  • PowerShell to execute commands–a PowerShell script injects the malware code into an existing running process
  • Task Scheduler to ensure persistence
  • Registry to hold the malware’s binary code

Details on how BadShell works  can be found in Comodo’s Global Threat Report Q2 2018 Edition.

Rogue employee commandeers company systems

At the EmTech Digital conference earlier this year, Darktrace told the story of a client, a European bank, that was experiencing some unusual traffic patterns on its servers. Night-time processes were running slowly, and the bank’s diagnostic tools didn’t discover anything. Darktrace discovered that new servers were coming online during that time—servers that the bank said didn’t exist. A physical inspection of the data center revealed that a rogue staffer had set up a cryptomining system under the floorboards.

Serving cryptominers through GitHub

In March, Avast Software reported that cryptojackers were using GitHub as a host for cryptomining malware. They find legitimate projects from which they create a forked project. The malware is then hidden in the directory structure of that forked project. Using a phishing scheme, the cryptojackers lure people to download that malware through, for example, a warning to update their Flash player or the promise of an adult content gaming site.

Exploiting an rTorrent vulnerability

Cryptojackers have discovered an rTorrent misconfiguration vulnerability that leaves some rTorrent clients accessible without authentication for XML-RPC communication. They scan the internet for exposed clients and then deploy a Monero cryptominer on them. F5 Networks reported this vulnerability in February, and advises rTorrent users to make sure their clients do not accept outside connections.

Facexworm: Malicious Chrome extension

This malware, first discovered by Kaspersky Labs in 2017, is a Google Chrome extension that uses Facebook Messenger to infect users’ computers. Initially Facexworm delivered adware. Earlier this year, Trend Micro found a variety of Facexworm that targeted cryptocurrency exchanges and was capabile of delivering cryptomining code. It still uses infected Facebook accounts to deliver malicious links, but can also steal web accounts and credentials, which allows it to inject cryptojacking code into those web pages.

WinstarNssmMiner: Scorched earth policy

In May, 360 Total Security identified a cryptominer that spread quickly and proved effective for cryptojackers. Dubbed WinstarNssmMiner, this malware also has a nasty surprise for anyone who tried to remove it: It crashes the victim’s computer. WinstarNssmMiner does this by first launching an svchost.exe process and injecting code into it and setting the spawned process’s attribute to CriticalProcess. Since the computer sees as a critical process, it crashes once the process is removed.

CoinMiner seeks out and destroys competitors

Cryptojacking has become prevalent enough that hackers are designing their malware to find and kill already-running cryptominers on systems they infect. CoinMiner is one example. 

According to Comodo, CoinMiner checks
for the presence of an AMDDriver64 process on Windows systems. Within the CoinMiner
malware are two lists, $malwares and $malwares2, which contain the names of
processes known to be part of other cryptominers. It then kills those

Compromised MikroTik routers spread cryptominers

Bad Packets reported in September last year that it had been monitoring over 80 cryptojacking campaigns that targeted MikroTik routers, providing evidence that hundreds of thousands of devices were compromised. The campaigns exploited a known vulnerability (CVE-2018-14847) for which MikroTik had provided a patch. Not all owners had applied it, however. Since MikroTik produces carrier-grade routers, the cryptojacking perpetrators had broad access to systems that could be infected.

Cryptojacking prevention

Follow these steps to minimise the risk of your organisation falling prey to cryptojacking:

Incorporate the cryptojacking threat into your security awareness training, focusing on phishing-type attempts to load scripts onto users’ computers. “Training will help protect you when technical solutions might fail,” says Laliberte. He believes phishing will continue to be the primary method to deliver malware of all types.

Employee training won’t help with auto-executing cryptojacking from visiting legitimate web sites. “Training is less effective for cryptojacking because you can’t tell users which web sites not to go to,” says Vaystikh.

Install an ad-blocking or anti-cryptomining extension on web browsers: Since cryptojacking scripts are often delivered through web ads, installing an ad blocker can be an effective means of stopping them. Some ad blockers like Ad Blocker Plus have some capability to detect cryptomining scripts. Laliberte recommends extensions like No Coin and MinerBlock, which are designed to detect and block cryptomining scripts.

Use endpoint protection that is capable of detecting known crypto miners. Many of the endpoint protection/antivirus software vendors have added crypto miner detection to their products. “Antivirus is one of the good things to have on endpoints to try to protect against cryptomining. If it’s known, there’s a good chance it will be detected,” says Farral. Just be aware, he adds, that crypto minor authors are constantly changing their techniques to avoid detection at the endpoint.

Keep your web filtering tools up to date: If you identify a web page that is delivering cryptojacking scripts, make sure your users are blocked from accessing it again.

Maintain browser extensions. Some attackers are using malicious browser extensions or poisoning legitimate extensions to execute cryptomining scripts.

Use a mobile device management (MDM) solution to better control what is on users’ devices:  Bring-your-own-device (BYOD) policies present a challenge to preventing illicit cryptomining. “MDM can go a long way to keep BYOD safer,” says Laliberte. An MDM solution can help manage apps and extensions on users’ devices. MDM solutions tend to be geared toward larger enterprises, and smaller companies often can’t afford them. However, Laliberte notes that mobile devices are not as at risk as desktop computers and servers. Because they tend to have less processing power, they are not as lucrative for the hackers.

None of the above best practices are fool proof. In recognition of that, and the growing prevalence of cryptojacking, cyber risk solution provider Coalition now offers service fraud insurance coverage. According to a press release, it will reimburse organisations for and direct financial losses due to fraudulent use of business services, including cryptomining.  

How to detect cryptojacking

Like ransomware, cryptojacking can affect your organisation despite your best efforts to stop it. Detecting it can be difficult, especially if only a few systems are compromised. Don’t count on your existing endpoint protection tools to stop cryptojacking. “Cryptomining code can hide from signature-based detection tools,” says Laliberte. “Desktop antivirus tools won’t see them.” Here’s what will work:

Train your help desk to look for signs of cryptomining: Sometimes the first indication is a spike in help desk complaints about slow computer performance, says SecBI’s Vaystikh. That should raise a red flag to investigate further.

Other signals help desk should look for might be overheating systems, which could cause CPU or cooling fan failures, says Laliberte. “Heat [from excessive CPU usage] causes damage and can reduce the lifecycle of devices,” he says. This is especially true of thin mobile devices like tablets and smartphones.

Deploy a network monitoring solution: Vaystikh believes cryptojacking is easier to detect in a corporate network than it is at home because most consumer end-point solutions do not detect it. Cryptojacking is easy to detect via network monitoring solutions, and most corporate organisations have network monitoring tools.

However, few organisations with network motoring tools and data have the tools and capabilities to analyse that information for accurate detection. SecBI, for example, develops an artificial intelligence solution to analyse network data and detect cryptojacking and other specific threats.

Laliberte agrees that network monitoring is your best bet to detect cryptomining activity. “Network perimeter monitoring that reviews all web traffic has a better chance of detecting cryptominers,” he says. Many monitoring solutions drill down that activity to individual users so you can identify which devices are affected.

“If you have good egress filtering on a server where you’re watching for outbound connection initiation, that can be good detection for [cryptomining malware],” says Farral. He warns, though, that cryptominer authors are capable of writing their malware to avoid that detection method.

Monitor your own web sites for crypto-mining code: Farral warns that crypto jackers are finding ways to place bits of Javascript code on web servers. “The server itself isn’t the target, but anyone visiting the web site itself [risks infection],” he says. He recommends regularly monitoring for file changes on the web server or changes to the pages themselves.

Stay abreast of crypto jacking trends: Delivery methods and the crypto-mining code itself are constantly evolving. Understanding the software and behaviors can help you detect crypto jacking, says Farral. “A savvy organisation is going to stay abreast of what’s happening. If you understand the delivery mechanisms for these types of things, you know this particular exploit kit is delivering crypto stuff. Protections against the exploit kit will be protections against being infected by the cryptomining malware,” he says. 

How to respond to a cryptojacking attack

Kill and block web site-delivered scripts: For in-browser JavaScript attacks, the solution is simple once cryptomining is detected: Kill the browser tab running the script. IT should note the web site URL that’s the source of the script and update the company’s web filters to block it. Consider deploying anti-cryptomining tools to help prevent future attacks.

Update and purge browser extensions: “If an extension infected the browser, closing the tab won’t help,” says Laliberte. “Update all the extensions and remove those not needed or that are infected.”

Learn and adapt: Use the experience to better understand how the attacker was able to compromise your systems. Update your user, helpdesk and IT training so they are better able to identify cryptojacking attempts and respond accordingly.

Nadeau is a senior editor with CSO Online

Read More:

Back to Top ↑