Raja Babu A, K7 Computing

Malicious cryptomining has shown massive growth since the beginning of 2018 as the focus of cyber criminals has shifted from ransomware to cryptominer malware. After all, why reveal yourself by demanding a ransom when you could silently milk cryptocurrency without being discovered instead? Illegal mining of cryptocurrency on a victim’s device is far more profitable in the long run, especially since it can be done seamlessly and stealthily across devices and platforms, leveraging legitimate third-party software.

The bad guys use off-the-shelf cryptomining tools cloaked in custom wrappers. On Windows they utilize a plethora of modern infection vectors like the exploitation of the EternalBlue vulnerability, delivering the DoublePulsar payload. They employ fileless techniques based on WMI and Powershell, amongst others, and even infect the MBR to silently deliver cryptominer malware. Furthermore javascript hosted on infected webpages can also be used to cryptomine within the browser context, and thus easily function across devices and platforms. Millions of connected vulnerable IoT devices increase the potential to both host cryptominer malware, as well as to provide the computing resources that hungry cryptominers crave.

Cryptominer malware abuse a victim’s CPU, GPU, network bandwidth, power, etc. resulting in direct and indirect financial losses, and degraded user experience. Indeed, the brand value of vulnerable device vendors would also be affected. The fact that cryptomining malware are being found across platforms (Windows, Linux, Android, Mac) and devices (PCs, smartphones, IoT, etc.), poses many challenges in their analyses and the formulation of mechanisms to detect and prevent.

This paper presents a comprehensive study of malicious and unwanted cryptominers. Using a handful of select example families of cryptomining malware we provide in-depth analyses of their technical functionality, and explore their modus operandi, including infection vectors and indicators of compromise, on various target platforms. Finally, we suggest potential methods to counter cryptominers via generic detection and blocking.