back caretBlog

Coin Miner Malware: The Growing Underworld

Digging Into Cryptomining Malware (Bitcoin, Monera, and More)

Everybody knows someone who jumped on the Bitcoin train back in 2009, and later cashed out for millions—or for a paltry hundred bucks.

But while the value of a single bitcoin has ebbed and flowed over the last decade, electronic currencies have captured imaginations at every tier—including the less savory ones.

Cryptocurrencies offer a twofold alternative to fiat money: their value is not impacted by a government-controlled supply, and the system for their exchange is decentralized and (for now) essentially unregulated. For many cryptocurrency enthusiasts, the benefits of such decentralization outweigh the costs: flux aside, the dollar value of all cryptocoins today is a staggering $300+ billion.

That kind of money has turned the phrase "mining for bitcoins" into the spiritual successor to "let's rob a bank" as an option for, say, paying off student loans. Of course people really do spend months using special hardware to dig up cryptocoins—a quick Google search of "cryptomining" will land you with a dozen guides to mining different currencies, from Bitcoin to Ethereum to Monero. And coin mining itself is largely legal, as long as the miner follows their local financial regulations regarding currency exchange. Some companies even offer coin mining as an alternative to viewing ads on their websites.

But why obey the law when you can infect people with mining malware and leverage their processing power by force?

Cryptomining Malware Turns a Slow but Massive Profit

Here's a snapshot: a recent report from Talos suggests that a cryptominer with 2,000 victims could turn a profit of around $182,500 per year. If 2,000 seems like a lot of people for one bad actor to compromise, consider these two facts: mining software itself isn't technically malware—so most security platforms won't even flag it—and Kaspersky Labs blocked 51 million attempts to open a phishing page in 2017.

That's several million people who, after all the headlines about ransomware over the last year or two, still clicked a bad email link. (That Talos report is an excellent read if you're interested in a far more detailed rundown of the various ways cryptomining malware is delivered.)

Because coin miners work by producing cryptographic hashes as quickly as possible in the hopes of getting the "right" one before everyone else, more processing power means better chances of striking gold. That's why powerful professional workstations make juicy targets for bad actors and give particularly entrepreneurial employees a way to line their own pockets using workplace systems.

You might argue, "Well, that's shady but isn't mining for electronic gold on someone else's computer a victimless crime?" To which we say...

The Cost of Miners in Your Environment

Beyond the negative impact on performance and power consumption of infected devices, malicious cryptomining software can mean you're compromised in other ways. Trend Micro found that, in a six month period in 2017, 20% of detected bitcoin miners also triggered web and network-based attacks.

So mining malware opens the door to worse attacks like ransomware and viruses—and, well, it's icky, right? Someone is forcing you and your system to help them generate funds without your knowledge or consent (or a cut of the profits).

As long as cryptocurrencies are in play, however, both legal and malware-driven mining will thrive—and even if you're not concerned about mining software as a gateway infection, no enterprise is going to want random miners stealing their resources. But detection is more challenging than you might think.

Network Visibility = The Canary in the Digital Mine

Mining software is designed to lurk inside an infected environment for as long as possible, and that means catching cryptominers absolutely depends on visibility into all an organization's assets—as in, into the network itself—and the ability to notice weird behavior even if it's not affiliated with any known malware (especially since the only sign of infection is often no more than a slight system slowdown).

Security operations are in a bind, then, because for many the only way to spot mining software is to manually flag each instance you come across as malicious activity. But bad actors in this space are as prolific and inventive as bad actors in every other vein of cybercrime, which makes it a real pain for SecOps to keep up.

This is where technologies like ExtraHop Reveal(x) come in. Because Reveal(x) security analytics provides internal visibility by analyzing your actual wire data, using ML to surface all anomalous behavior on the network, you don't need to manually flag signatures or sift through alerts.

Reveal(x) will notice any unusual behavior for you, and give your security team the anomaly context, a map of any affected assets and their dependencies, and a scope of the potential attack. That way you can quickly prioritize which attacks are putting your most critical assets at risk and send out the troops in time to stop further damage.

Long story short: improving internal visibility and automating as much of the investigation process as possible is the only way SecOps has any hope of dealing with the floodgates of cyber attacks, from cryptomining software to the really bad stuff.

Agree, disagree? We'd love to hear your thoughts!

ExtraHop Reveal(x) Live Activity Map

Stop Breaches 87% Faster

Investigate a live attack in the full product demo of ExtraHop Reveal(x), network detection and response, to see how it accelerates workflows.

Start Demo

Sign Up to Stay Informed