Cryptojacking – Understanding and Detecting Attacks
2017 was a year full of hype for cryptocurrency. Not only did we see Bitcoin (BTC) prices skyrocket (from ~$900 to ~$20K!), but we also saw the emergence of new currencies such as Tron (TRX), LunaCoin (LUNA), and Pluton (PLU), which are just a few of many. Hackers are taking note, and have increasingly incorporated crypto into their schemes, beyond just ransomware featuring payment in Bitcoin.
What is Cryptojacking?
Cryptojacking takes control of the corporate system associated with blockchain and uses it as a continuous source of computing power. With multiple entry points and hidden behind stealthy tactics, Cryptojacking can often be difficult to detect and prevent. With cryptojacking on pace to overtake ransomware, there are many systems in which you should understand where vulnerabilities exist and how to properly detect attacks.
Systems Vulnerable to Cyptojacking Attacks and Malware
Cryptojacking Via Your Browser
There are several cryptocurrency miners that leverage code injection into a website, including Coinhive, Crypto-Loot, CryptoNoter, and JSECoin. Note that these are not necessarily malicious tools, but can be used by cybercriminals to generate mining activity on unsuspecting websites. See below snippet from Coinhive code.
LookingGlass researchers have identified over 7,000 Coinhive mining sites and several hundred hosting the other miners.
There are two primary concerns with browser-based cryptocurrency mining:
- Websites may incorporate miners without disclosing this to site visitors, which could be considered unethical.
- And more importantly, cyber criminals are injecting the mining code into unsuspecting websites, thereby taking advantage of both the website and the site’s visitors.
It’s Not Just in Your Browser
Oracle WebLogic application servers have been discovered hosting cryptojacking malware. These servers, which are often cloud-based, are designed to manage enterprise-level applications. The mining tools are injected using a web application vulnerability (disclosed in December 2017, CVE 2017-10271). In one reported incident, the cyber criminals employed the XMRig mining kit and garnered over $200K in Monero cryptocurrency.
Cryptojacking in Your Apps
Researchers discovered several Android apps in the Google Play store that were secretly mining cryptocurrency. These apps did not present themselves as miners, but rather something more innocuous, such as a wallpaper app. The mining activity can degrade the device’s performance, cause wear and tear, and reduce battery life.
Cryptojacking in Your Social Media
Facebook Messenger was found to be distributing Digmine miner malware via a video that appeared to have been sent by a Facebook friend. Digmine has the ability to infect the desktop version of Messenger and access user contact lists to spread further.
Cryptojacking in Public WiFi or During Your Coffee Break
Hijacking WiFi hotspots is a new cryptojacking trend. CoffeeMiner uses a man-in-the-middle (MITM) attack to hijack users connecting to WiFi hotspots and inject mining code into all HTML pages requested by those users. This was reported by a patron of a Starbucks in Buenos Aires who discovered it when examining the cause of a connection delay to the WiFi.
Cryptojacking via Campaign
The Zealot malware campaign targets the well-documented ApacheStruts vulnerability, CVE-2017-5638, as well as the ASP.NET vulnerability, CVE-2017-9822. The malware uses the ETERNALBLUE and ETERNALSYNERGY exploits to spread throughout infected systems and PowerShell to download and install the cryptocurrency mining tools. This campaign impacts both Windows and Linux operating systems.
And of Course, There’s a Botnet for That
Another vector is via a cryptocurrency mining botnet, PyCryptoMiner, that is written in Python, targets Linux operating systems, and rather uniquely refers to a Pastebin site for command and control instructions.
Our Findings: LookingGlass Testing and Analysis
LookingGlass researchers performed testing of browser-based cryptojacking websites and found that it is indeed a highly resource-intensive activity. When visiting one site with embedded mining code, CPU usage levels quickly elevated to over 500%, then dropped to normal levels once the browser window was closed as indicated in the below figures.
LookingGlass sampled the network traffic associated with a site mining using the Coinhive tool, and observed the various options that can be set, such as throttle rate and pool wallet ID number.
Why You Should Care About Cryptojacking, or Help, My Laptop is on Fire!
On the surface, cryptojacking seems relatively benign. But in actuality, it costs victims processing and energy resources. Desktop users may experience a degradation in services. Mobile users may experience loss of battery life. For an individual, this may not have a significant impact, but for a production server in a data center environment, the costs could quickly stack up.
Serving up cryptojacking to your website visitors, unwittingly or not, is likely to drive away traffic and create negative customer opinion, neither of which are typically desired outcomes.
Perhaps more importantly is that with browser-based cryptojacking, unwanted code has been injected into an organization’s web server, which means that that server has been compromised and that is never a good thing. Where one attacker gets in, others can follow, perhaps with more nefarious motivations. In the words of the Google dev team, “if an attacker successfully injects any code at all, it’s pretty much game over: user session data is compromised and information that should be kept secret is exfiltrated to The Bad Guys.”
How to Avoid Being a Miner
The good news is that cryptojacking is not hard to identify. The distinctive code usually stands out, as displayed in the example above. For browser-based cryptojacking, there are browser extensions that can be installed to block mining activity. LookingGlass researchers tested some of these and found them to be effective, as shown in the below image.
Currently only a few antivirus engines will detect and block browser-based cryptojacking activity or the Digmine miner.
Want more information like this? LookingGlass has a whole library full of intelligence reports like this. Learn more here.