By Arie Fred, VP of Product, SecBI

Crypto-mining (or crypto-jacking) malware campaigns climbed 29 percent from Q4 2018 to Q1 2019 according to a new study published by McAfee in August.

Just one example behind this surge of activity was a huge botnet consisting of 850,000 computers that was detected and taken offline by a joint operation of French police and the security company Avast. The computers were infected with the polymorphic miner “RETADUP”, and coded in AutoHotKey, an open-source scripting language used in Windows for creating hotkeys (i.e., keyboard shortcuts, macros, software automation). Once installed, RETADUP uses the computers’ resources to mine Monero. Crypto mining is popular and profitable in other parts of the world as well. In China, fifteen Chinese individuals were arrested for their involvement in an illegal cryptocurrency mining operation that hijacked the bandwidth of scores of internet cafes to mine approximately 100 million yuan (nearly $14 million) in cryptocurrency. The operation involved the bribery of over 9,000 internet cafe administrators who infected their systems with a Trojan allowing the remote operation of their cafes’ computers. Moving from China to the rest of Asia-Pacific, the Smominru campaign hijacked half a million PCs to mine cryptocurrency. The botnet has been active for at least two years and generally spreads through the EternalBlue exploit, an old vulnerability detected and made public in 2017.

Last, but not least, the infamous hacker (and former Amazon employee) Paige Thompson, who stole the personal information of over a hundred million of the bank’s customers, was accused recently for additional crimes. The FBI claims that the hacker attacked 30 other entities, including a state agency, a telecommunications conglomerate and a public research university (most likely the Ohio Department of Transportation, Michigan State University and Vodafone). The aim of hacking these organizations was not to exfiltrate and steal data (as she did with Capital One) but to utilize their servers to mine cryptocurrency.

Therefore, by looking at all these separate cases, what can we learn to improve our crypto-mining detection capabilities?

  1. Cryptomining is profitable, lucrative and usually goes under the radar of threat detection technology. Hackers are using it to gain money in a quiet, simple manner.
  2. All these victims have been infected, and their systems working hard (for long periods of time), but none of them had identified the breach before official investigations were executed. This is due to the stealthy nature of the miner, that unlike ransomware, does not announce its activation upon infection, rather works quietly in the background.

New forms of miners, such as Norman, are especially capable of hiding their tracks and avoiding detection. Norman hides itself when you open the Task Manager in Windows to see why your machine is running slow. Once the Task Manager is closed, the cryptojacking malware reinjects itself, and mines Monero. The malware is first deployed via svchost.exe, a Windows process used to perform various operations. Another miner name “Clipsa”, is described by Avast as a “multipurpose password stealer.” It exploits numerous attack vectors to steal or illicitly mine cryptocurrency.

It is also evident that traditional security mechanisms are ill-equipped to handle mining malware, which is specifically designed to evade detection upon infection, and to evade detection all the while by working “low and slow”. Machine-learning based detection algorithms from a network approach are required to look at the entire organization’s network traffic, identify changes in the behavior of multiple machines and then to present the full scope of all the affected entities per incident of a crypto-miner infection.