The growing threat from cryptocurrency miners

As has been noted in numerous places, the significant price rise in both Bitcoin and Altcoins (like Monero and Ethereum) that took place over the course of 2016 and 2017 has driven many in the cybercriminal fraternity to completely ditch ransomware and other malware to focus exclusively on cryptominers. By the end of 2017, 2.7 million users had been attacked by malicious miners, a huge increase from 2016 (1.87 million).

There are clear reasons for this, other than the exponential rise in crypto prices. Not least among them is the ease with which these schemes make money. A ransomware infection requires input from the victim, as well as monitoring by the threat actor: cryptomining malware can run by itself, in the background, and may go completely unnoticed by the victim.

And that is the second point of attraction: users may not know that they have been infected by miners. In particular, if they only use their computers for CPU-non-intensive tasks such as browsing the internet, a cryptominer could persist on a device for some time with no risk of discovery.

Thirdly, the entry level for this sort of crime is incredibly low. Wannabe hackers with minimal coding skills can get in on the act as a result of the plethora of information, off-the-shelf tools, and skilled developers already out there.

Despite the attractiveness of cryptomining for low-skilled coders, there is nonetheless an increasing use of more advanced techniques, inspired by targeted attacks, to deliver mining malware. 'Process-hollowing' is one such method which ultimately sees legitimate process code on the infected device changed to malicious code. This particular technique is also particularly effective, because it sets system critical flags on the new process, meaning that the Windows system will reboot if the victim attempts to kill the process. As a result of techniques such as this, and many others, cybercriminal groups earned around $7 million in the second half of 2017.

Interestingly, alongside the criminal developments in this sphere, we have seen legitimate introductions of cryptocurrency miners in everything from household appliances to apps. In one case, French company Qarnot produced a heater that has in-built cryptomining capability. Indeed, it is marketed as such: any coins mined belong to the owner of the heater.

Another example appears to have been sanctioned by Apple, at least indirectly. Calendar 2, a popular calendar utility created by Qbix, usually costs $0.99 through Apple’s App Store. It has regular calendar functionality but also built-in weather forecast, Facebook integration, and Flick-powered backgrounds. In the latest update, however, a cryptomining feature was added, and the developer flagged this to all users: if they want all the advanced features of the app, but do not want to pay $0.99 a month, the app can “unobtrusively generate crypto-currency in the background”. In the case of Calendar 2 this did not work because the miner kept running even when users opted out, and in some cases ran CPU loads of 200%.

Nonetheless, the point is clear: cryptominers, whether legitimate or illegitimate (and in some cases the distinction is unclear) are here to stay. The threat from criminals is significant and, for the reasons noted above, only likely to increase.