Recent campaigns show that cryptojackers remain a point of interest for cybercriminals, despite its popularity waning after crackdowns by law enforcement, fluctuating cryptocurrency values and the shutdown of Coinhive.
This week, Microsoft researchers said threat actors have been launching brute force credential attacks on misconfigured, internet-facing Linux and Internet of Things (IoT) devices in order to take control of the devices and install malware for mining cryptocurrency. And in May, Fortinet researchers found that threat actors were venturing into cryptojacking by deploying a RapperBot variant with cryptominer capabilities.
“Cryptojacking, the illicit use of computing resources to mine cryptocurrency, has become increasingly prevalent in recent years, with attackers building a cybercriminal economy around attack tools, infrastructure, and services to generate revenue from targeting a wide range of vulnerable systems, including Internet of Things (IoT) devices,” according to Microsoft researchers in a Thursday analysis.
Cryptojacking involves malware installed on devices, or small bits of code injected into browsers, that surreptitiously steal computer processing resources to mine cryptocurrency. This attack does not damage computers or victims’ data, though targets might notice lagging performance.
While cryptojackers were once more prevalent - think back to attacks against a Los Angeles Times webpage, for instance - several factors have dampened their popularity. The 2019 shutdown of Coinhive, which offered a Monero JavaScript miner, has had one of the bigger impacts on dampening the popularity of cryptojacking, as this miner was widely abused by cybercriminals. However, the fluctuating value of cryptocurrency like Bitcoin or Etherum has also led to increased or decreased levels of interest over time by cybercriminals.
Aamir Lakhani, cybersecurity researcher and practitioner with Fortinet’s FortiGuard Labs, said that when it comes to cryptojacking, “there’s absolutely still money to be made, but it’s slower than other methods.” Now, he said attackers are refocusing their efforts away from PCs - which can block simple cryptojacking attacks through basic browser security extensions and security software - to target IoT devices, such as home routers, cameras and smart speakers.
“When attackers find large enough targets like IoT devices, cameras, and other (non-PC) devices, they will look for vulnerabilities they can use to start cryptojacking,” said Lakhani. “It is perfect for them because the devices continue to function and in the background they are mining. For example, if you have a camera, as long as you connect and see the camera is working, you’re not going to think anything of it and an attacker [can] continue cryptojacking uninterrupted.”
Microsoft researchers have also observed a similar shift in cryptojacking campaigns where cybercriminals move away from injecting malicious code into the browser and instead abuse legitimate binaries on victims’ machines in an effort to stay persistent. In August 2022, Microsoft said it has seen more than 500,000 machines with malicious cryptojackers on them.
"I think attackers are just shifting towards ransomware, crime-as-a-service and other models that have a more immediate payout."
In this more recent campaign tracked this week by Microsoft, attackers went to various lengths to both avoid detection and analysis, using a modified version of OpenSSH in order to gain persistent access to impacted devices and the passwords and keys of their SSH connections.
After initial compromise, the attackers retrieved a compromised OpenSSH archive from a remote server with various OpenSSH source code along with malicious files. These malicious files included a shell script (inst.sh) that deployed a backdoor shell script, which then allowed threat actors to launch further attacks and deploy additional tools on the system. This backdoor leveraged several methods for avoiding detection, including testing if the device was a honeypot and using several open-source rootkits - including ones available on GitHub like Diamorphine and Reptile - to hide its processes. It also removed relevant records from Apache, nginx, httpd and system logs in order to disguise its activity.
Another malicious file retrieved from the compromised OpenSSH archive include the shell script vars.sh, which contained embedded files for the backdoor’s operation. These patch files (ss.patch) were applied to the OpenSSH source code files by the Linux patch utility, and the modified OpenSSH was then installed on the device.
“The modified version of OpenSSH mimics the appearance and behavior of a legitimate OpenSSH server and may thus pose a greater challenge for detection than other malicious files,” according to Microsoft researchers on Thursday. “The patched OpenSSH could also enable the threat actors to access and compromise additional devices. This type of attack demonstrates the techniques and persistence of adversaries who seek to infiltrate and control exposed devices.”
The backdoor ultimately eliminated any competition from other miners on the targeted device, through hoarding device resources, blocking off the device’s communication with a hardcoded list of cryptomining-related hosts and IPs, and preventing access to various miner processes and files.
In a separate campaign observed in May by Fortinet researchers, threat actors were deploying RapperBot samples that had been updated to add cryptomining capabilities. The RapperBot malware targeted x64 machines and then used a configuration built into the binary in order to decode mining pools and Monero wallet addresses, starting the embedded miner and killing off other miners on the targeted device.
Though these attacks show that cryptojacking is still alive and well, Lakhani said that this attack continues to have its limitations and cybercriminals are showing interest in other, more profitable measures.
“It’s a slow process and does not pay out immediately,” Lakhani said. “I think attackers are just shifting towards ransomware, crime-as-a-service and other models that have a more immediate payout."