Deep-Mining Without a License: How Malicious Cryptominers Dig Across Platforms and Devices

Raja Babu A, K7 Computing

Malicious cryptomining has shown massive growth since the beginning of 2018 as the focus of cyber criminals has shifted from ransomware to cryptominer malware. After all, why reveal yourself by demanding a ransom when you could silently milk cryptocurrency without being discovered instead? Illegal mining of cryptocurrency on a victim’s device is far more profitable in the long run, especially since it can be done seamlessly and stealthily across devices and platforms, leveraging legitimate third-party software.

The bad guys use off-the-shelf cryptomining tools cloaked in custom wrappers. On Windows they utilize a plethora of modern infection vectors like the exploitation of the EternalBlue vulnerability, delivering the DoublePulsar payload. They employ fileless techniques based on WMI and Powershell, amongst others, and even infect the MBR to silently deliver cryptominer malware. Furthermore javascript hosted on infected webpages can also be used to cryptomine within the browser context, and thus easily function across devices and platforms. Millions of connected vulnerable IoT devices increase the potential to both host cryptominer malware, as well as to provide the computing resources that hungry cryptominers crave.

Cryptominer malware abuse a victim’s CPU, GPU, network bandwidth, power, etc. resulting in direct and indirect financial losses, and degraded user experience. Indeed, the brand value of vulnerable device vendors would also be affected. The fact that cryptomining malware are being found across platforms (Windows, Linux, Android, Mac) and devices (PCs, smartphones, IoT, etc.), poses many challenges in their analyses and the formulation of mechanisms to detect and prevent.

This paper presents a comprehensive study of malicious and unwanted cryptominers. Using a handful of select example families of cryptomining malware we provide in-depth analyses of their technical functionality, and explore their modus operandi, including infection vectors and indicators of compromise, on various target platforms. Finally, we suggest potential methods to counter cryptominers via generic detection and blocking.

Raja Babu Annamalai

Raja Babu holds a Master’s degree in Computer Applications from the University of Madras. Starting his career in 2008 as a malware analyst at Comodo, he then joined K7 Threat Control Lab as a Threat Researcher in 2010 and is currently working as Research Team Lead. His main responsibilities include detailed malware analysis, developing automated systems, training new personnel for K7TCL. He has earlier co-authored papers for AVAR 2013 and AVAR 2017. In his free time he likes to watch movies, cook and spend time with his family.

The Dynamic Security Ecosystem
Other Topics