There is a hidden malware revolution going on under the covers of millions of browsers, one that feels both familiar and fresh.
Attackers have begun moving away from what has been their most reliable revenue-generator in recent years--ransomware--and toward the green field of malicious cryptomining, a tactic that offers faster payouts for less work. Malicious cryptomining, sometimes known as cryptojacking, is a natural evolution of the cryptocurrency boom and it represents a clear opportunity for cybercriminals who already have established infrastructures and decent skill sets.
At its core, malicious cryptomining is more closely related to malware such as info stealers or backdoors than it is to traditional ransomware. Although ransomware can produce huge payouts in some cases, say if a major enterprise or a large metropolitan government is infected, it’s a scattershot approach. Attackers either need to send out large numbers of phishing emails with infected attachments or rely on drive-by downloads to get their ransomware onto victims’ computers. Then, they have to wait and see which victims will pay the ransom and then find a way to launder those payments (usually in Bitcoin) into money that’s usable for them. It’s a laborious process and it carries plenty of risks, not the least of which is not getting paid at all.
Malicious cryptomining, on the other hand, only requires that the attacker get the malicious code onto the victim’s machine. After that, the miner works in the background. If an attacker is able to infect enough machines with this kind of malware, he can generate a significant amount of the chosen cryptocurrency with very little work. For cybercriminals, it’s an easy decision: throw a bunch of ransomware against the wall and hope some of it sticks, or move to in-browser cryptomining and wait for the money to roll in.
“Advanced attack techniques used to deliver coin miners indicate cybercriminals are seeing lot of potential to illicitly earn more money in coin mining than other threats like ransomware. We have seen a wide range of malicious cryptocurrency miners, some of them incorporating more sophisticated mechanisms to infect targets, including the use of exploits or self-distributing malware,” said Tanmay Ganacharya, principal group manager on the Windows Defender Research team at Microsoft.
“We have also observed that established malware families long associated with certain modus operandi, such as banking trojans, have started to include coin mining routines in recent variants. These developments indicate widespread cybercriminal interest in coin mining, with various attackers and cybercriminal groups launching attacks.”
"Monetizing cryptomining is easier because the mining goes on in the background."
The move to malicious cryptomining makes sense in many respects, especially for established cybercime groups that already have the infrastructure in place to infect victims and handle the resulting payments. Switching from ransomware to in-browser mining actually removes some of the burden of dealing with victims and negotiating payments, a process that can take days or weeks. Cryptojacking offers a simpler method for making money and a shorter wait for the payday.
“This is riding on the coattails of ransomware, but ransomware requires people to install it and then eventually pay. But monetizing cryptomining is easier because the mining goes on in the background,” said Paul Burbage, a senior malware researcher at Flashpoint.
“It’s a quicker return on investment. With ransomware the attackers have to worry about moving the coins around. Now, they’re generating a pretty solid anonymous cryptocurrency they can put right into their pockets.”
Much of the in-browser malicious cryptomining that’s gone on so far--the last six months or so--has been focused on generating Monero. A newer entrant into the cryptocurrency realm, Monero offers a couple of advantages for attackers that Bitcoin can’t match. Monero is faster and simpler to mine than Bitcoin and it also offers relative anonymity for the senders and receivers in a given transaction. Mining Bitcoin in a browser is a futile process at this point, and even mining it on a powerful desktop machine isn’t worthwhile because of the amount of processing power and time it takes to find a new block in the Bitcoin blockchain. Many Bitcoin miners use large pools of resources and high-powered GPUs (graphics processing units) or special ASIC mining hardware rather than normal PCs.
Monero, on the other hand, still can be mined in-browser and attackers are taking advantage of this, along with the simplicity of implementing a Monero miner in malware code, to cash in.
“You can implement a miner with one line of JavaScript. And Monero doesn’t have the same public ledger as Bitcoin, so you can’t see per-transaction information. But it also has better mining potential because you’re awarded coins based on the hash rate,” Burbage said. “Trying to mine Bitcoin in the browser doesn’t work.”
The volume of malicious cryptomining has been climbing steadily since the fall, and Microsoft blocked twice as many cryptominers in March as it did in December, Ganacharya said. And last month the company disrupted a huge campaign that used the Dofoil malware to install malicious cryptomining software on victims’ machines using compromised software updates. The attackers’ techniques are growing in sophistication as time goes on, and as law enforcement continues to crack down on ransomware operations, malicious cryptomining likely will become more and more popular.
“Law enforcement tends to get involved when they can prove an amount of money that’s been lost. It’s harder to prove that there’s victims losing money with this,” Burbage said.