3/6/2019 What is cryptojacking?

How to prevent, detect, and recover from it | CSO Online

🔎
 Sign In | Register
FEATURE

What is cryptojacking? How to prevent, detect, and recover from it

Criminals are using ransomware-like tactics and poisoned websites to get your employees’
computers to mine cryptocurrencies. Here’s what you can do to stop it.
By Michael Nadeau

Senior Editor, CSO

DECEMBER 13, 2018 02:44 PM PT

Cryptojacking is the unauthorized use of someone else’s computer to mine cryptocurrency. Hackers do this by either getting the
victim to click on a malicious link in an email that loads crypto mining code on the computer, or by infecting a website or online
ad with JavaScript code that auto-executes once loaded in the victim’s browser.

[ How much does a cyber attack really cost? Take a look at the numbers. | Get the latest from CSO by signing up for our
newsletters. ]

Either way, the crypto mining code then works in the background as unsuspecting victims use their computers normally. The
only sign they might notice is slower performance or lags in execution.

https://www.csoonline.com/article/3253572/what-is-cryptojacking-how-to-prevent-detect-and-recover-from-it.html 1/10
3/6/2019 What is cryptojacking? How to prevent, detect, and recover from it | CSO Online
 Sign In | Register

Why cryptojacking is on the rise

No one knows for certain how much cryptocurrency is mined through cryptojacking, but there’s no question that the practice is
rampant. Browser-based cryptojacking is growing fast. Last November, Adguard reported a 31 percent growth rate for in-
browser cryptojacking. Its research found 33,000 websites running crypto mining scripts. Adguard estimated that those site had
a billion combined monthly visitors.

This February, Bad Packets Report found 34,474 sites running Coinhive, the most popular JavaScript miner that is also used for
legitimate crypto mining activity. In July, Check Point Software Technologies reported that four of the top ten malware it has
found are crypto miners, including the top two: Coinhive and Cryptoloot.

https://www.csoonline.com/article/3253572/what-is-cryptojacking-how-to-prevent-detect-and-recover-from-it.html 2/10
3/6/2019
“Crypto mining is in its infancy. There’s a lot ofWhat
roomis cryptojacking? How to prevent, detect, and recover from it | CSO Online
for growth and evolution,” says Marc Laliberte, threat analyst at network
 Sign In | Register
security solutions provider WatchGuard Technologies. He notes that Coinhive is easy to deploy and generated $300 thousand in
its first month. “It’s grown quite a bit since then. It’s really easy money.”

In January, researchers discovered the Smominru crypto mining botnet, which infected more than a half-million machines,
mostly in Russia, India, and Taiwan. The botnet targeted Windows servers to mine Monero, and cybersecurity firm Proofpoint
estimated that it had generated as much as $3.6 million in value as of the end of January.

Cryptojacking doesn’t even require significant technical skills. According to the report, The New Gold Rush Cryptocurrencies Are
the New Frontier of Fraud, from Digital Shadows, cryptojacking kits are available on the dark web for as little as $30.

[ Prepare to become a Certified Information Security Systems Professional with this comprehensive online course from

PluralSight. Now offering a 10-day free trial! ]

The simple reason why cryptojacking is becoming more popular with hackers is more money for less risk. “Hackers see
cryptojacking as a cheaper, more profitable alternative to ransomware,” says Alex Vaystikh, CTO and cofounder of SecBI. With
ransomware, a hacker might get three people to pay for every 100 computers infected, he explains. With cryptojacking, all 100
of those infected machines work for the hacker to mine cryptocurrency. “[The hacker] might make the same as those three
ransomware payments, but crypto mining continuously generates money,” he says.

The risk of being caught and identified is also much less than with ransomware. The crypto mining code runs surreptitiously and
can go undetected for a long time. Once discovered, it’s very hard to trace back to the source, and the victims have little
incentive to do so since nothing was stolen or encrypted. Hackers tend to prefer anonymous cryptocurrencies like Monero and
Zcash over the more popular Bitcoin because it is harder to track the illegal activity back to them.

How cryptojacking works

https://www.csoonline.com/article/3253572/what-is-cryptojacking-how-to-prevent-detect-and-recover-from-it.html 3/10
3/6/2019 What is cryptojacking? How to prevent, detect, and recover from it | CSO Online
Hackers have two primary ways to get a victim’s computer to secretly mine cryptocurrencies. One is to trick victims into loading
 Sign In | Register
cryptomining code onto their computers. This is done through phishing-like tactics: Victims receive a legitimate-looking email
that encourages them to click on a link. The link runs code that places the cryptomining script on the computer. The script then
runs in the background as the victim works.

The other method is to inject a script on a website or an ad that is delivered to multiple websites. Once victims visit the website
or the infected ad pops up in their browsers, the script automatically executes. No code is stored on the victims’ computers.
Whichever method is used, the code runs complex mathematical problems on the victims’ computers and sends the results to a
server that the hacker controls.

Hackers often will use both methods to maximize their return. “Attacks use old malware tricks to deliver more reliable and
persistent software [to the victims’ computers] as a fall back,” says Vaystikh. For example, of 100 devices mining
cryptocurrencies for a hacker, 10 percent might be generating income from code on the victims’ machines, while 90 percent do
so through their web browsers.

Unlike most other types of malware, cryptojacking scripts do no damage to computers or victims’ data. They do steal CPU
processing resources. For individual users, slower computer performance might be just an annoyance. Organization with many
cryptojacked systems can incur real costs in terms of help desk and IT time spent tracking down performance issues and
replacing components or systems in the hope of solving the problem.

Real-world cryptojacking examples

Cryptojackers are a clever lot, and they’ve devised a number of schemes to get other peoples’ computers to mine
cryptocurrency. Most are not new; crypto mining delivery methods are often derived from those used for other types of malware
such as ransomware or adware. "You’re starting to see a lot of the traditional things mal-authors have done in the past," says

https://www.csoonline.com/article/3253572/what-is-cryptojacking-how-to-prevent-detect-and-recover-from-it.html 4/10
3/6/2019 What is cryptojacking? How to prevent, detect, and recover from it | CSO Online
Travis Farral, director of security strategy at Anomali. "Instead of delivering ransomware or a Trojan, they are retooling that to
 Sign In | Register
deliver crypto-mining modules or components."

Here are some real-world examples:

Spear-fishing PowerGhost steals Windows credentials

The Cyber Threat Alliance's (CTA's) The Illicit Cryptocurrency Mining Threat report describes PowerGhost, first analyzed by
Fortinet, as stealthy malware that can avoid detection in a number of ways. It first uses spear phishing to gain a foothold on a
system, and it then steals Windows credentials and leverages Windows Management Instrumentation and the EternalBlue
exploit to spread. It then tries to disable antivirus software and competing cryptominers.

MinerGate variant suspends execution when victim's computer is in use

According to the CTA report, Palo Alto Networks has analyzed a variant of the MinerGate malware family and found an
interesting feature. It can detect mouse movement and suspend mining activities. This avoids tipping off the victim, who might
otherwise notice a drop in performance.

BadShell uses Windows processes to do its dirty work

A few months ago, Comodo Cybersecurity found malware on a client's system that used legitimate Windows processes to mine
cryptocurrency. Dubbed BadShell it used:

PowerShell to execute commands--a PowerShell script injects the malware code into an existing running process.

Task Scheduler to ensure persistence

Registry to hold the malware's binary code

https://www.csoonline.com/article/3253572/what-is-cryptojacking-how-to-prevent-detect-and-recover-from-it.html 5/10
3/6/2019 What is cryptojacking? How to prevent, detect, and recover from it | CSO Online
You can find more details on how BadShell works in Comodo's Global Threat Report Q2 2018 Edition.
 Sign In | Register

Rogue employee commandeers company systems

At the EmTech Digital conference earlier this year, Darktrace told the story of a client, a European bank, that was experiencing
some unusual traffic patterns on its servers. Night-time processes were running slowly, and the bank’s diagnostic tools didn’t
discover anything. Darktrace discovered that new servers were coming online during that time—servers that the bank said didn’t
exist. A physical inspection of the data center revealed that a rogue staffer had set up a cryptomining system under the
floorboards.

Serving cryptominers through GitHub

In March, Avast Software reported that cryptojackers were using GitHub as a host for cryptomining malware. They find
legitimate projects from which they create a forked project. The malware is then hidden in the directory structure of that forked
project. Using a phishing scheme, the cryptojackers lure people to download that malware through, for example, a warning to
update their Flash player or the promise of an adult content gaming site.

Exploiting an rTorrent vulnerability

Cryptojackers have discovered an rTorrent misconfiguration vulnerability that leaves some rTorrent clients accessible without
authentication for XML-RPC communication. They scan the internet for exposed clients and then deploy a Monero cryptominer
on them. F5 Networks reported this vulnerability in February, and advises rTorrent users to make sure their clients do not accept
outside connections.

Facexworm: Malicious Chrome extension

https://www.csoonline.com/article/3253572/what-is-cryptojacking-how-to-prevent-detect-and-recover-from-it.html 6/10
3/6/2019 What is cryptojacking? How to prevent, detect, and recover from it | CSO Online
This malware, first discovered by Kaspersky Labs in 2017, is a Google Chrome extension that uses Facebook Messenger to
 Sign In | Register
infect users’ computers. Initially Facexworm delivered adware. Earlier this year, Trend Micro found a variety of Facexworm that
targeted cryptocurrency exchanges and was capabile of delivering cryptomining code. It still uses infected Facebook accounts
to deliver malicious links, but can also steal web accounts and credentials, which allows it to inject cryptojacking code into those
web pages.

WinstarNssmMiner: Scorched earth policy

In May, 360 Total Security identified a cryptominer that spread quickly and proved effective for cryptojackers. Dubbed
WinstarNssmMiner, this malware also has a nasty surprise for anyone who tried to remove it: It crashes the victim’s computer.
WinstarNssmMiner does this by first launching an svchost.exe process and injecting code into it and setting the spawned
process’s attribute to CriticalProcess. Since the computer sees as a critical process, it crashes once the process is removed.

CoinMiner seeks out and destroys competitors

Cryptojacking has become prevalent enough that hackers are designing their malware to find and kill already-running
cryptominers on systems they infect. CoinMiner is one example.

According to Comodo, CoinMiner checks for the presence of an AMDDriver64 process on Windows systems. Within the
CoinMiner malware are two lists, $malwares and $malwares2, which contain the names of processes known to be part of other
cryptominers. It then kills those processes.

Page 1 of 2 ▻

▻ SUBSCRIBE! Get the best of CSO delivered to your email inbox.

https://www.csoonline.com/article/3253572/what-is-cryptojacking-how-to-prevent-detect-and-recover-from-it.html 7/10