Cryptocurrency-mining malware: Why it is such a menace and where it’s going next

Crypto-jacking is proving increasingly lucrative for cyber-attackers, and we're only at the beginning of this form of cyber crime -- here's how it has come to pose the threat it does and where it could go next.




Crypto-currency mining is increasingly lucrative for attackers.Image: iStock





Cyber-crooks are always looking for new means of making money and, for much of the last two years, ransomware was the cyber-attack of choice for those looking to quickly make money.

Recently, however, attackers have been leaving ransomware behind and are increasingly embracing a new form of making money from the internet: cryptocurrency mining.

Like many others, cybercriminals have recognized the potential riches that could await using the processing power of computers to mine for cryptocurrencies such as bitcoin and Monero, especially following the bitcoin boom of late last year.

However, rather than spending money on specialist systems to legitimately mine cryptocurrency, criminals are turning to crypto-jacking malware to do the work for them.

The idea is simple: unwitting victims have their computer or smartphone infected with malware, which uses the CPU power of the device to mine currency, with the profits being directed back into the wallet of the attacker.

Aside from heavy use of the PC fan and driving up the energy cost of using the computer, crypto-jacking doesn't make itself obvious, if it's not pushed too far, as the average victim isn't likely to worry too much their computer being a bit noisier than usual.

"Criminals act like a business. They'll have a business model for making as much money as they can with as little risk as possible -- and cryptocurrency mining represents a good return on investment and a low risk way of doing it," Mike McLellan, senior security researcher at the SecureWorks Counter Threat Unit, told ZDNet.

That crypto-jacking doesn't require interaction with victims the way ransomware does offers a number of benefits to the crooks: it leaves the user unaware their machine is infected with malware, meaning rather than providing payment in one quick hit like ransomware, the operation can be sustained for a long period of time.

It also doesn't matter where in the world the victim is, allowing attackers to profit from virtually anyone -- opening additional markets of potential targets and fueling the move towards cryptojacking.

"With a ransomware infection you might get a big pay off, but if you infect a computer in Africa, it's very unlikely you're actually going to get a payout from that. In areas of the world where people are less likely to pay ransoms, you might have just ignored those even though they're ripe for infection," Ryan Olson, intelligence director of Unit 42 at Palo Alto Networks, told ZDNet.

"But with cryptocurrency mining, it's completely egalitarian: different systems perform differently at how they mine cryptocurrency, but they can all do it, so they're all equal targets. That's an important element of why we're seeing this transition."

Cryptojacking is also increasingly attractive to attackers as, not only does it funnel funds directly into the wallets of attackers without the need to interact with the victims, but the anonymous nature of cryptocurrency means that, unlike some other forms of cybercrime, there's no need for elaborate systems to hide or launder the profits.

"Even when you think of the ease of stealing banking credentials, when you're dealing with regulated currencies, there are a lot of frameworks you have to work around to get it back into their pockets without it being easily traceable," Randi Eitzman, senior cyber security analyst at FireEye, told ZDNet.

"Cryptocurrencies offer that advantage to criminals. They don't have to have the system of money mules to launder the currencies. It's just running code of a remote machine and collecting profits," she added.

While the initial profits from cryptocurrency mining aren't as immediate as ransomware or selling stolen credentials, some of those who've focused heavily on this space have made millions of dollars in the last year alone.

The code behind cryptojacking malware is relatively simple and it can be delivered via phishing campaigns, malvertising, compromised websites, or even software downloads. Once on a system, the game is all about not getting caught.

While some attackers have been known to brazenly spin up CPUs to one hundred percent capacity, those campaigns don't last long because they can cause irreversible damage to the device -- and a broken system doesn't provide any benefit to malicious miners.

It's why those with serious networks of hijacked machines are tailoring instructions to systems: they spin up the CPU to such an extent that over time they can provide a decent profit, but do so while not running at such high capacity that the operation is uncovered.

"It's a numbers game: infect as many computers as you can, then keep them infected. You might think just make it 100 percent all of the time and that's what a lot of attackers do, because they think they'll earn the most money that way," said Olson.

"But if you use 100 percent of the CPU, the user is more likely to notice it's slow and make choices which lose you the mining device. There's choices attackers need to make the most money over time -- they've got to think about the most bang for their buck."

Comments are closed.

%d bloggers like this: