What is Cryptocurrency Mining Malware?

A cryptocurrency is a form of digital currency stored on decentralized networks. These decentralized networks are called blockchains, consisting of many systems called nodes.

Blockchains are decentralized networks in which no single authority controls the system, where the system belongs to the people. Since a single authority does not control the system, blockchains are immune to government affiliation or manipulation from an outside source.

New cryptocurrencies are created through mining, a computationally-expensive process requiring resources such as high-end processors or graphic cards and high amounts of electricity.

Crypto in Cybersecurity Sector

Since its debut in 2009 with Bitcoin, cryptocurrencies have been actively seen in the cybersecurity sector with different purposes and use cases. Threat actors have consistently been using cryptocurrencies for black market deals on the Dark Web as a payment method. In addition, payments in ransomware attacks are demanded in cryptocurrencies.

Monero, a cryptocurrency known for its privacy capabilities, comes into play at this stage. The coin is much harder to trace, making it ideal for hiding the malicious transactions and cash out from what they hacked. Monero crypto-mining attacks are pretty standard.

In June 2021, researchers revealed that 222 thousand computers had been infected by Crackonosh malware designed to mine Monero coin – XMR.

Cryptocurrency Mining Malware and Possible Infection Vectors

Since mining is expensive, threat actors have found a way to exploit their victims and mine cryptocurrency using the victim’s system. In this case, victims’ resources are spent in mining, but the mined cryptocurrency goes to the threat actors. This process is called crypto-jacking, and it has detrimental consequences for the victim. Some possible outcomes include financial losses and wear and tear of electronic devices. In addition, the crypto mining malware can affect the security and the performance of the victim’s system.

Steps of crypto-jacking (Source: European Union Agency for Cybersecurity)

Threat actors want to earn as much money as possible through crypto-jacking, and having a considerable number of victims is much more profitable. To gain more profit, threat actors choose to create botnets, networks consisting of enslaved computers programmed to mine crypto. As a result, more and more devices end up being exploited.

Cryptocurrency mining malware implement similar infection vectors to botnets, some of which are

Malicious spam e-mail attachments or links
SMS spams
Malvertising (malware advertising)
Phishing

And last but not least, the newly-discovered remote code execution Log4J exploit.

Log4J: A possible attack vector for Cryptocurrency mining malware

The threat actors have been using the recently discovered zero-day exploit CVE-2021-44228, popularly known as the Apache Log4j RCE vulnerability, as an infection vector to access systems and install crypto-mining malware. The latest Apache Log4j patches are strongly suggested to be installed to prevent hackers from accessing your system.

Cryptocurrency mining malware infected over half-million PCs using NSA Exploit during just in 2017 (Source: The Hacker News)

Mitigations

To protect your organization from crypto-mining malware, Analysts at SOCRadar suggest you to

Monitor the performance of your system regularly and inform anomalies.
Train and educate your employees against socially-constructed attacks such as malicious e-mail attachments and sketchy links.
Periodically update your third-party applications to nullify possible attack vectors.
Regularly scan your system to detect malware.
Have a security solution like a firewall to prevent threat actors from accessing your internet-exposed systems.