Introduction
Cybercriminals tend to favor cryptocurrencies because they provide a certain level of anonymity and can be quickly monetized. This interest has grown in recent years, going beyond the desire to use cryptocurrency simply as a method of payment for illicit tools and services. Many actors have also tried to take advantage of the growing popularity of cryptocurrencies, and their consequent rising price, by conducting several operations aimed at them. These malicious operations include cryptocurrency mining (also called cryptojacking), the collection of credentials from cryptocurrency purses, extortion activities and the attack of cryptocurrency exchanges.
FireEye has observed different trends related to cryptojacking, including cryptocurrency mining modules to popular malware families, an increase in attacks to mine, the use of mobile applications that contain cryptojacking code, their use as a threat to critical infrastructures and different distribution mechanisms.
Interest in the underground world
FireEye iSIGHT Intelligence has identified cybercriminals' interest in issues related to cryptocurrency mining since at least 2009 in underground communities. Keywords that obtained significant volumes included miner, cryptonight, stratum, xmrig and cpuminer. Although the search for certain keywords does not provide context, the frequency of these keywords related to mining show a strong increase in conversations in early 2017. It is likely that at least a part of actors prefer cryptojacking because it does not attract as much attention by part of the forces of order.
Monero is the king
Most of the recent cryptojacking operations have been overwhelmingly focused on mining Monero, an open source cryptocurrency based on the CryptoNote protocol, as a Bytecoin bifurcation. Unlike many cryptocurrencies, Monero uses a unique technology called "signatures ring", which randomly mixes the public keys of users to eliminate the possibility of identifying a particular user, ensuring that it is not traceable. Monero also uses a protocol that generates multiple unique addresses for a single use, which can only be associated with the recipient of the payment and is unfeasible to be revealed through the analysis of blockchain (chain of blocks); ensuring that it is impossible for Monero's transactions to be linked to someone, while also being cryptographically secure.
Monero's block chain also uses what is called a "memory-hard" cryptographic hash algorithm called CryptoNight and, unlike Bitcoin's SHA-256 algorithm, prevents the mining of the ASIC chip (integrated circuit specific application). This feature is critical for the developers of Moneroy, which allows mining with CPU to continue being feasible and profitable. Due to these inherent characteristics centered on the privacy and profitability of CPU mining, Monero has become an attractive option for cybercriminals.
Underground ads about mining utilities
Since most of the mining utilities are small open source tools, many criminals rely on crypters, which are tools that employ encryption, obfuscation and code manipulation techniques to make them tools and malware completely undetectable.
FireEye has identified several examples of tool advertisements commonly used to undermine underground forums and markets. These ads include everything from mining-only utilities combined with more features such as credential collectors, remote administration tools (RAT), USB propagation capabilities and distributed denial of service (DDoS).
The cost of cryptojacking
The presence of mining software in a network can generate costs on three different fronts as this software surreptitiously distributes resources:
Impairment of system performance
Increase in electricity costs
Potential exposure to security holes
Cryptojacking (unauthorized use of a device to mine cryptocurrencies) attacks the processing capacity of computers, which can lead to a heavy CPU load and performance degradation. In extreme cases, the CPU overload can even damage the operating system. Infected machines can also try to infect nearby computers and therefore generate a large amount of traffic that can overload victims' computer networks.
In the case of operational technology (OT) networks, the consequences can be serious. The SCADA environments and industrial control systems (ICS) mostly rely on hardware from several decades ago and low bandwidth networks, so even a slight increase in the load of the CPU or the network could leave the infrastructure inactive industries, preventing operators from interacting with the control processes in real time.
The cost of electricity, measured in kilowatt hour (kWh), depends on several factors: how often the malicious mining software is configured to work, how many execution sequences are used during its use and the number of machines that are being mined in the victim's network. The cost per kilowatt hour is very variable and depends on the geographical location. For example, security researchers who used Coinhive on a machine for 24 hours discovered that the power consumption was 1,212kWh. They estimated that using this calculation to measure one month's electricity costs would be equivalent to US $ 10.50 in the United States, US $ 5.45 in Singapore and US $ 12.30 in Germany.
Cryptojacking can also highlight security holes that have been overlooked in a company's network. Organizations infected with crypto-malware are also likely to be vulnerable to attacks and more serious vulnerabilities, from ransomware to malware specific to industrial control systems (ICS) such as TRITON.
Cryptocurrency mining malware distribution techniques
To maximize their benefits, cybercriminals widely disseminate their mining malware using various techniques, such as incorporating cryptojacking modules in existing botnets, download crypto-tenders, use of mobile applications that contain code for cryptojacking and distribution of tools. of cryptojacking through spam and automatic propagation utilities. Threat players can use cryptojacking to affect numerous devices and secretly extract their computing power. Some of the devices that FireEye has observed that are targeted by these cryptojacking schemes are:
Endpoint teams of users
Corporate servants
Websites
Mobile devices
Industrial control systems
The main distribution techniques for cryptocurrency mining are:
Cryptojacking in the cloud. Recently several operations have been observed that specifically attack cloud infrastructures, which will be a growing goal of cryptojacking, since it offers threat actors an environment with high computing power in which CPU usage is already expected. and the electricity costs are high, so it allows its operations to remain potentially unnoticed.
Incorporation of cryptojacking to existing bot networks. FireEye iSIGHT Intelligence has observed numerous prominent botnets such as Dridex and Trickbot incorporating cryptocurrency mining into their existing operations. Many of these families are modular and have the ability to download and execute files remotely. Although these operations have traditionally focused on the theft of credentials, adding mining modules generates another avenue of benefits with little effort.
Cryptojacking when browsing. FireEye iSIGHT Intelligence has examined several customer reports of cryptocurrency mining based on Internet browsers. It has seen mining scripts on compromised websites, third-party ad platforms and sites that have legitimately placed them. Although cryptocurrency mining scripts can be emailed directly into the source code of the website, they are often uploaded from third-party websites. Identifying websites with code to mine embedded can be difficult since not all mining scripts are authorized by the editors of the sites, as in the case of a website with compromised security. In addition, even in cases where the mining scripts are authorized by the owner of a website, it is not always clearly communicated to site visitors. At this time, the most popular script deployed is Coinhive. It is an open source JavaScript library that, when downloaded to a vulnerable website, can mine Moner using the resources of the site visitor's CPU, without their knowledge, while browsing through it.
Malvertising and Exploit kits. Malvertising (malicious ads on legitimate websites) normally redirects visitors to a site to a home page of a kit exploit. These pages are designed to scan a system for vulnerabilities, exploit those vulnerabilities and download and execute malicious code in the system. It should be noted that malicious ads can be placed on legitimate sites and visitors can become infected with little or no interaction on their part. This distribution tactic is commonly used by threat actors to spread malware widely and has been used in several cryptocurrency mining operations.
Cryptojacking for mobile. In addition to attacking enterprise servers and user computers, threat actors have also targeted mobile devices for their cryptojacking operations. Although this technique is less common, probably due to the limited processing capacity offered by mobile devices, this technique is a threat, since the sustained consumption of energy can damage the devices and drastically reduce battery life. Threat players have been observed attacking mobile devices harboring malicious cryptojacking applications in popular app stores and through browser malvertising campaigns that identify mobile user browsers.
FireEye spam campaigns iSIGHT Intelligence has detected several mining malware companies distributed through spam campaigns, which is a widely used tactic to spread malware indiscriminately. We anticipate that malicious actors will continue to use this method to disseminate cryptojacking code as long as cryptocurrency mining remains profitable.
Worms After the attacks of WannaCry, the actors began to increasingly incorporate features of self-propagation into the malware. Some of the self-distribution techniques observed include the removable disk copy, SSH records by brute force and the use of the NSA EternalBlue filtered exploit. Cryptocurrency mining operations benefit greatly from this functionality, since a wider distribution of the malware multiplies the amount of CPU resources available to mine. Consequently, we estimate that more actors will continue to develop this functionality.
Methods to avoid detection. Another trend that must be highlighted is the use of proxies to avoid detection. The implementation of proxies to mine is an attractive option for cybercriminals because it allows them to avoid paying commissions or the developer of 30 percent or more. By avoiding the use of common cryptojacking services, such as Coinhive, Cryptloot, and Deepminer and, instead, hosting cryptojacking scripts on an infrastructure controlled by the threat actor, you can bypass many of the most common strategies used to block this activity. through the black lists of domains or files. In addition to using proxies, actors can also set their own mining applications hosted by themselves, either on private servers or based on the cloud that supports Node.js. The combination of the use of proxies and malware to mine hosted in a cloud infrastructure controlled by the threat actor represents a significant obstacle for security professionals, since both make cryptojacking operations more difficult to detect and to block.
Forecast
In underground communities and markets there has been significant interest in cryptojacking operations and numerous campaigns have been observed and reported by security researchers. All of this shows the continuous upward trend of the threat actors that carry out cryptocurrency mining operations, which FireEye expects to see as a continuous point of interest throughout 2018. Notably, the malicious mining of cryptocurrencies could be seen as something preferable due to the perception that it does not attract as much attention from law enforcement compared to other forms of fraud or theft. In addition, victims may not realize that their computer is infected beyond a decrease in system performance.
Due to its inherent privacy-focused features and profitability of CPU mining, Monero has become the most attractive cryptocurrency for cybercriminals. FireEye believes that it will continue to be the cryptocurrency preferred by threat actors, as long as Monero's blockchain maintains its standards centered on privacy and is immune to ASIC. If Monero's protocol reduces its security and privacy characteristics in the future, then we can determine with great confidence that the threat actors would use another currency centered on privacy as an alternative.
Due to the anonymity associated with the Monero cryptocurrency and electronic purses, as well as the availability of numerous exchange houses and tumblers, the attribution of the malicious mining of cryptocurrencies will be very complex for the authorities and the malicious actors behind such operations will normally remain unidentified. . The actors of threats will undoubtedly continue to show great interest in malicious crypto-contracting as long as it remains profitable and a relatively low-risk activity.