Don’t Be a Coinmining Zombie – Part 1: Getting Cryptojacked


    When your computer or mobile device (and now, even your IoT device) is hijacked to secretly mine cryptocurrencies, it’s been cryptojacked and becomes a coinmining zombie. Its CPU, memory, disk, and power are enlisted in varying degrees in the service of the mining botnet, which labors on behalf of those who use it, with other zombies, to make money in the currency. Cryptojacking not only increases the wear and tear on your PC or Mac; if it’s a mobile device it can overheat and swell the battery, even destroy the device itself. Not a good payment for all that service!

    So how do you get cryptojacked? And what can you do to prevent it?

    What is cryptocurrency, anyway?

    First, a refresher, to clarify the security issues.

    cryptocurrency is a digital currency “designed to work as a medium of exchange, that uses strong cryptography to secure financial transactions, control the creation of additional units, and verify the transfer of assets.” (See Cryptocurrency, Wikipedia) Unlike electronic or printed currencies produced by central banking systems, cryptocurrencies use peer-to-peer networked decentralized computers—distributed ledgers, typically blockchains (explained below)—to serve as the public databases that process and verify the transactions conducted in the currency.

    First released in 2009, Bitcoin is generally considered to be the first cryptocurrency. Since then, over 4,000 alternative currencies have been created—and some of them, like EthereumRippleLitecoin, and Monero, are very active among a list of over 1500 cryptocurrencies in circulation today. Companies like Microsoft, Dell, Virgin Galactic, Shopify, and Tesla, as well as others (the list is growing) are now among the companies accepting Bitcoin and other cryptocurrencies. Countries like the US, South Korea, Hong Kong, and Japan, as well as  Australia, are now among the countries accepting and regulating cryptocurrencies. This list too is growing, though some countries have refused to recognize cryptocurrencies or have banned them altogether (see Cryptocurrencies by Country, Dividends Magazine, 25 Oct 2017).

    Next, what is cryptocurrency mining?

    Cryptocurrency mining (aka coinmining for short) is the way transactions are processed and verified over the peer-to-peer network by the cryptocurrency’s coinminers installed on innumerable users’ computers. Each set of transactions are processed as a “block” then added to the “blockchain—the public ledger—when they’re confirmed by a cryptographic hash (a fixed-sized alphanumeric string) generated by the miners. The blockchain is then ready for the next block. The coin-owner’s private key or seed in their cryptocurrency wallet is what identifies the ownership of the coins, seals the transaction for the specified amount, and prevents the transaction from being altered—as verified by the hash.

    The miners that first calculate the hash, before any others, are rewarded with free currency units—hence the high processing power required to do this quickly (usually, in about ten minutes). To that end, mining can be done by one or more big computers with lots of processing power and high-end graphic cards (GPUs); or it can be done in a pool by many smaller mining computers working simultaneously across the network. Legitimate mining pools may be set up by partners who share any profits by calculating the precise contribution of each of the participating miners in creating the cryptographic hash.

    How do you become a coinmining zombie?

    That said, it’s not just legitimate entrepreneurs who use pools of computers to mine cryptocurrencies. Transgressive or criminal coinmining can occur whenever your computer and others are “hijacked” (i.e., cryptojacked) to mine without your permission.

    Trend Micro identifies three types of cryptojacking in use today, (apart from the outright theft of cryptocurrency from the wallet that contains it, which can also occur):

    • Web coinminers. Some websites now incorporate known transgressive web coinminers, as in the now infamous example of the publicly-advertised CoinHive miner installed on PirateBay. Sold by the CoinHive creators as a clever alternative to using website ads, when users clicked anywhere on PirateBay, a popup would initiate a coinmining process, significantly increasing the CPU usage of the visitor’s machine via the Javascript coinminer. Hidden web coinminers take this process a step further, allowing aggressive or criminal attackers to compromise a site for coinmining in a clandestine way, even after you close your browser. They do this by minimizing the browser behind the Windows Taskbar, to persist in the mining at a reduced processing rate, so you may not even notice it—though your CPU usage remains higher than normal.
    • Local coinminers. In this case, a fake app masquerading as an update installs a coinminer on your computer, as with the Fake Flash Player Updater you might install because a malicious popup tells you that you need it to make the website work properly. Another example is HiddenMiner, which poses as a legitimate Google Play update app that continuously mines the Monero cryptocurrency on Android, which can cause the device to overheat and potentially fail. It’s similar to the Loapi Monero-mining Android malware, which security researchers report can cause a device’s battery to bloat.
    • Fileless coinminers. Finally, fileless coinminers may be initially executed as a PowerShell script, which then propagates on the target machine using Mimikatz or EternalBlue for Lateral Movement, then Windows Management Instrumentation (WMI) for the exploit in the scanned network connection. This opens a persistent, asynchronous, fileless backdoor on your computer for the purposes of clandestine coinmining. The result, again, is increased CPU usage on your machine.

    So what do you do about such threats? Click here for Don’t be a Coinmining Zombie – Part 2: How Do You Protect Yourself from being Cryptojacked?

    Post a comment

    Your email address won't be shown publicly.