Cryptojacking and How it Works

This entry was posted on Tuesday, May 29th, 2018.

As the new frontier for technology, blockchain has shown plenty of promise. However, in the realm of cryptocurrencies, there have been several high profile attacks and heists that have brought the security of exchanging and holding cryptocurrencies into question. In the rush for acquiring cryptocurrencies, some users have taken to building machines dedicated to mining cryptocurrencies, but that aspect of the industry is not safe from attackers, either. It is a lucrative industry for cybercriminals, with a surge of malware that steals cryptocurrency for sale on the dark web to boot. Activities range from exploiting hardware graphics processing units (GPU), to taking advantage of users’ mobile devices.

Cryptomalware steals money from cryptocurrency transactions which it achieves via two different methods: stealing cryptocurrency and mining cryptocurrency on victims’ devices without their knowledge, known as “cryptojacking.”

Cryptocurrency-mining malware usually operates by using dropper code, which runs on the victim’s device without their permission, either via scripts or executables. To this end, cybercriminals may attack exposed computer infrastructures, launch phishing attacks, or maliciously use tools such as browser extensions, mobile apps, and instant messaging services. Miner code runs on the victim’s device and hijacks its computer power to calculate hashes, slowing the performance for the victim. Then, the results of the calculations are sent back to the attacker or directly to an online mining pool. The attacker then converts to results into cryptocurrency.

In contrast, cryptojacking malware has malicious code that can look for wallets’ addresses on local storage (e.g.: text documents, configuration files, etc.), and monitor device memory, including the copy-and-paste clipboard. Thus, when the victim copies and pastes a wallet address, the malware can replace it with their own address. The malware the intercepts cryptocurrency transactions. For each transaction, the amount at the time of purchase is directed into the criminals’ wallets without the user noticing.

Creeping into IoT

There are fears that crooks targeting servers and PCs to secretly mine for cryptocurrencies might turn their attention to IoT devices to make money. While IoT devices have far less power than the most basic PC – and crypto-mining machines require powerful GPUs to the point of driving prices up – the lack of security measures and glaring vulnerabilities make attacking IoT devices an attractive option for cryptojacking attackers. With the growing popularity of online services that make mining easier, there is an increased in web-based, client-side cryptomalware written in JavaScript.

One example of cryptocurrency-mining malware being used in an IoT environment is DroidMiner. Advertised in a forum in 2017. In the same forum, another actor offered a Monero miner for routers, which could accommodate different architectures. However, he was immediately attacked by another member, citing that the software was not worth anything, given the lack of processing power in routers.

While it does seem that cryptocurrency malware is gaining as a mention-worthy topic in forums in the cybercriminal underground, with some trying to explore whether IoT exploits could be profitable, it might not be as profitable as other criminals think. Yet.

In light of cybercriminals exploring new ways to exploit devices, Trend Micro has recommendations to mitigate the risks of attacks, such as regularly updating devices with the latest firmware, changing the devices’ default credentials to avoid unauthorized access, employ intrusion detection and prevention systems to deter malicious attempts, an be wary of known attack vectors, such as socially engineered links, attachments, suspicious files, and spam.


The Bottom Line

Cryptocurrency mining is a burgeoning industry, but as more interest grows around that frontier, so too do the opportunities for cybercriminals to capitalize on glaring vulnerabilities. Cryptocurrency-mining and cryptojacking malware can hijack a victim’s device without their permission and run malicious scripts or redirect funds. While some malware developers are looking for ways to make inroads towards exploiting IoT vulnerabilities for profit, the lack of processing power of the IoT devices so far have yielded little profit. Nevertheless, it is likely that will not be the case for long, and users would do well to practice common sense security in the meantime.