Malicious cryptomining is a relatively new threat, but it’s been a highly lucrative one for attackers since it emerged a couple of years ago. And though cryptocurrency values have suffered a dramatic decline in the last few months, researchers believe that malicious cryptomining will continue to be a serious threat for enterprises in the years ahead.
There are a number of different methods that attackers use to get cryptomining malware onto target machines, including rigged attachments in spam messages, drive-by downloads, and targeted attacks against known vulnerabilities in server-side software. Regardless of the technique, the phenomenon of malicious cryptomining has taken over much of territory previously owned by ransomware, as it offers the opportunity for long-term gains rather than the short-term payouts of ransomware. Malicious cryptomining also typically doesn’t have the effect of damaging a victim’s machine and victims may not even know that the attack has happened, so the mining activity can go on indefinitely.
However, the return from cryptomining has dropped significantly in the last couple of months as the value of currencies such as Bitcoin and Monero have dropped precipitously. Even with that decline, though, researchers at Cisco Talos say they have still been seeing plenty of activity among various attack groups that run malicious cryptomining campaigns.
“After reviewing the real-world impact and associated data, it appears that cryptocurrency mining is not slowing down, and if anything, could be slightly increasing in frequency for certain aspects of the landscape. As we move into 2019, it's likely that the payloads of choice will continue to diverge between different aspects of the threat landscape,” Nick Biasini of Cisco Talos said in a post detailing recent activity.
“Adversaries have gone all in on the idea of the recurring revenue model of cryptocurrency mining instead of the lump-sum gamble that ransomware provided so effectively throughout 2016 and 2017. In ransomware attacks, attackers asked for infected users to pay them a sum of money in exchange for the return of their information. But with miners, the attackers see revenue on a daily basis from their activities.”
Malicious cryptomining occupies a distinct place in the threat landscape. The mining software itself typically isn’t malicious and simply uses the victim machine’s compute power to mine cryptocurrency. Many victims don’t even notice the software on their machines, but attackers use malicious techniques to get the miners onto those computers. Unlike ransomware, cryptominers don’t demand money or cryptocurrency from a victim but instead try to manufacture the currency on their own. The idea is to get the mining software onto as many machines as possible in order to harness a large amount of compute power, at no cost to the attackers.
There are a wide variety of groups running malicious cryptomining campaigns at the moment, and they use a variety of tactics. Some groups run spam campaigns, often through botnets, that deliver mining software in malicious attachments. But one of the more prevalent techniques is web-based installation of miners, either through drive-by downloads or scripts on pages that mine cryptocurrency in visitors’ browsers. In some cases, attack groups are using exploit kits to deliver their wares, a technique that many groups have used to distribute ransomware over the years.
"Many of these adversaries took the time and effort to shift away and focus on mining. A decrease in the value of the currency isn't going to move them off of that.”
“Since late 2016, there has been a marked decline in global exploit kit activity. Of the campaigns that remained, malicious cryptomining payloads were being distributed commonly via downloaders, rather than some of the other malware that had been historically associated with these campaigns,” Biasini said.
“Along with exploit kits and malvertising, cryptocurrency mining malware was also frequently seen being delivered through fake Flash Player updates. In these attacks, victims are prompted to update their version of Adobe Flash Player, but the malware downloads a payload used to infect systems and mine cryptocurrency for cybercriminals.”
Data that Cisco Talos compiled on both network and endpoint cryptomining activity shows that mining levels have remained about the same over the last few months as cryptocurrency prices have crashed, and even increased slightly on the network side.
“So despite the fact that we do not see miners being pushed at the same level, specifically in the email space, the overall capabilities remain primarily static. This implies both long-term mining activity and the importance of active exploitation, brute forcing and web-based attacks to the threat landscape, specifically around malicious mining,” Biasini said.
“Those groups that focus on active exploitation and brute forcing are all in on mining, and it will take some additional force to move them off of this payload, mainly because of the resources they've already committed. It takes time and effort to shift away from things like distributed denial-of-service and spam botnets to cryptomining. Many of these adversaries took the time and effort to shift away and focus on mining. A decrease in the value of the currency isn't going to move them off of that.”