A Primer on Cryptocurrency Mining Malware

Posted: 09/14/2018 - 20:58
In case you weren’t paying attention, the cryptocurrency market is hot, with more than 1,600 currencies and counting. That’s up from one (Bitcoin) a decade ago. Initial coin offerings (ICOs) raised more than $5 billion in 2017, and $6.3 billion in the first three months of 2018 alone.  
Like other gold rushes, this one is also ripe with uncertainty. Some 46 percent of last year’s ICOs have failed and according to one study, that could be an underestimate. Then there’s this hidden risk: Even without buying or selling, you could be participating in this market – and incurring costs – if you are unknowingly hosting crypto-mining malware. 
Cryptocurrency and Mining 
To understand this kind of malware, you first need to know something about cryptocurrency. An encrypted data sequence that represents monetary value, cryptocurrency is monitored and organized by a peer-to-peer network known as a blockchain, which also serves as a secure ledger of transactions. Mining these decentralized digital currencies involves extracting them from the blockchain networks on which they operate.  
In other words, mining creates a new “block,” which happens when, by solving very complex mathematical problems, you are able to confirm transactions occurring on the blockchain. To do that, you need a lot of computing power, not only because of the math, but also because there are thousands of other computing systems trying to do the same, and the quantity of blocks is limited. 
This need for tremendous computer processing is why cryptocurrency mining is associated with racks and stacks of servers in makeshift data-centers near cheap power sources, like East Wenatchee, Washington. But mining is also happening in “pools,” when processing power is shared over a network and miners split the reward according to one of many compensation schemes. 
That means if you have spare processing power and legitimate cryptocurrency mining software, you could opt into such a pool and become a fractional miner. That scenario is flipped, however, when someone else slips software into your computer without permission to harness your CPU for a mining pool you know nothing about. 
Cryptojacking and Monero 
The secret use of your computer and CPUs to mine cryptocurrencies is also known as cryptojacking. If news coverage is a good indicator, it appears to be gaining momentum. 
One recent article describes how hackers compromised a software supply chain, bundling code to mine the cryptocurrency Monero into the font package of a PDF editor application. Another article on  current hacker trends in ERP software pointed to a report from Onapsis and Digital Shadows describing an incident from last year, when hackers used Oracle’s WebLogic Java application server as a conduit for mining Monero. 
As it happens, when researchers at the NTT Security Global Threat Intelligence Center (GTIC), a sister organization, began analyzing several dozen cryptocurrency mining operations in August 2017, they also focused on malware that had been written to mine Monero. One possible explanation for its popularity as a target? Monero has a reputation for offering a high degree of anonymity…which says something in the cryptocurrency market. 
Among other GTIC findings: phishing emails are a primary means for exploiting a system to mine XMR; and legitimate coin mining services, such as Coinhive, are being abused and injected into mobile games and websites. For more, read the full report, “Monero Mining Malware: Hunting Down the Miners.” 
Why worry? What to do? 
Like any resource-hogging application, cryptocurrency mining malware can impact a computer’s performance. What’s worse is that you or your organization are paying for the unnecessary compute cycles that are making you less productive. Not to mention added expense if you’re leveraging pay-for-use resources like (X)aaS and Cloud. 
The environmental impact of crypto mining is another concern. More obvious in a consolidated mining operation than as part of a distributed pool, the energy consumption of cryptocurrencies across all their operations is massive. According to one cryptocurrency energy analyst, the Bitcoin network alone could, by the end of 2018, be drawing as much as 7.7 gigawatts, or half of 1 percent of the world’s total energy consumption.  
Crypto-mining malware also represents a red flag. If it’s on your computers or network, you can probably blame vulnerabilities or gaps in your security framework. That means that the best defense is likely found minding the basics, including the following, shared by our colleagues at NTT Security:
  • Educate your employees (See above, phishing)
  • Conduct regular risk assessments
  • Adopt a multi-layer, defense-in-depth
  • Regularly update your systems and devices
  • Deploy intrusion detection and prevention systems
  • Proactively monitor network traffic
  • Secure mobile devices
  • Consider application whitelisting 
And if you lack internal resources to manage all aspects of your organization’s cybersecurity needs, consider outsourcing. Detecting cryptocurrency malware is only one aspect of ensuring the security of your internal IT processes, the software supply chain and your entire organization. 

About The Author

Brandon Curry's picture

Brandon Curry has worked as an expert in the information technology industry for more than 25 years. During this time, he has held a variety of roles ranging from sales and post-sales account management to operations and solution architecture, on both the IT and network sides of the information communications technology (ICT) business.

Curry brings a unique, out-of-the-box perspective to problem solving, technology strategies and customer solutions. He joined NTT America in 2015 after working for T-Systems North America in several capacities, including Head of Sales and Service Management. In his current role, Curry is NTT America’s Vice President of Solutions, Product and Service Management, leading the end-to-end pre-sales, product management, post-sales governance and account management functions.

Curry is a strong believer in continuous learning, and is a thought leader on new technologies and market trends. He holds an Associate of Science degree in pre-medicine from the University of Kentucky, an MBA from Northwestern University’s Kellogg School of Management, and an MS in security from Carnegie Mellon University. He has earned many advanced level certifications such as CCIE, CISSP and is a Certified Ethical Hacker. In addition, Mr. Curry is a member of the (ISC)2 national and Chicago chapters, as well as the Global IT Architects Association.
Twitter: @nttcom