The bubbly is unmistakably all around as experts and security -industry players take stock of new crypto-threats and malware attacks gaining steam and ground. Count the bottles of champagne popped and you would know.
Get up and brush the dust away from last year’s attacks. If 2018 was abuzz with cryptocurrency wallets, Salty Spider malware trapping cryptocurrency users (specially Electrum BTC Wallets), BTC ransomware payment demands and crypto-jacking, 2019 is showing starker and stronger intersections between the orbits of cyber threats and cryptocurrency. As always, the devil lurks in the fine print. But let us skim through the bigger fonts first. They will jump us through the hoops faster. Strap yourself for words like mineware, SpeakUp, CryptoLoot and 4.23 per cent. Ready?
Mining just got high-brow
Mineware is a monster that is feeding itself. And it is eating sandwiches now. A Global Threat Report 2019 finds CrowdStrike spotting that ransomware operators adjusted the cost of decrypting per-machine in line with the value of BTC around November 2018. But 2018 was also, or more about, Mineware. The security major notes that the binary quality of this tool that is used predominantly for Monero mining often indicates the presence of other bigger network security issues. It has been noticed that mineware’s delivery is combined with supply chain attacks, mobile malware, vulnerabilities around Drupal and Domain Generation Algorithms (DGAs).
That means it needs serious attention. Thankfully, the prevention response has also been interesting, multi-pronged and pouring from unexpected directions. Many mineware-related domains have been given the cold shoulder by web browser ad blockers, Coinhive’s new API, Apple’s iOS as well as Google Chrome Extensions. Solutions and approaches like WMI event subscription technique for persistence have been emerging to wrestle well with mineware. However, the best mitigation came in the form of financial motivation fizzling out as exponential market value graphs saw a downward curve.
Let’s inch further into the year and turn to Check Point’s Global Threat Index for January 2019. Crypto-mining still reigns over the top four shelves in the malware aisle. Looks like a new backdoor Trojan affecting Linux servers is on the prowl and distributing the XMRig crypto-miner. This malware a.k.a. SpeakUp seems to have the brawn and the brain of delivering any payload and executing it on compromised machines. It’s choice of vulnerability – Command Injection over HyperText Transfer Protocol (HTTP). Apparently it, so far, evades all major anti-virus software options.
At the same time, Coinhive is still impacting 12 per cent of organisations, and XMRig (an Open-source CPU mining software used for Monero mining) commands a global impact of eight per cent. The Cryptoloot miner is also affecting six per cent of organizations globally – as per January’s count.
What’s worrisome now is the hairball-effect of these malware types – which can be more tricky and tremendous than the original malware’s greed itself. Backdoor malware like Speakup are evasion-savvy to a new level and can be silently infectious for spreading more dangerous malware to compromised machines. The fear can get exacerbated with the new malware’s playground of Linux – its extensive use in enterprise servers is pegged to spur the scale and severity of this malware throughout the year, as per what experts warn now.
Another undercurrent to note here is the way new rivals are bobbing about. Look at the way they are trying to usurp the top tables. Like Cryptoloot – that eyes a victim’s CPU or GPU power and existing resources but is scooping a smaller percentage of revenue from websites.
Poor Monero? Rich Monero?
Speaking of loot, did you know that 4.23 per cent of all Monero (XRM) could have been mined by crypto mining malware since 2007? Yes, that is what jumps out in a research done by Guillermo Suarez-Tangil (King’s College London) and Sergio Pastrana (Universidad Carlos III de Madrid). About 2,218 malware campaigns took place, raking in 720,000 XMR. It is as good as $57 million as per some calculations.
But if we comb it more minutely, this gumshoe work by these professors has just unravelled that sly miners are also tapping ways like idle mining or playing dead when a monitoring tool (like Task Manager) is afoot. Criminals are also leaning towards some specific mining pools like crypto-pool, dwarfpool etc. They resort to CNAME domain aliases (x.alibuf.com and xmrf.fjhan.club) for mitigation evasion. Shopping for botnets, packers, bullet-proof hosting servers and crypters in underground markets also corresponds with illicit mining activity.
Interestingly, and evidently, the most profitable mining campaigns do not necessarily have a large infrastructure but they do wield a lot of these obfuscation tricks. They also have patience. Most multi-million campaigns have been running for as long as five years. They are also sturdy against take-downs because of their formula of using several pools at one time.
The vulnerability tends to compound when non-updated miners keep running infectious systems because they could not afford to hop to the next hardware/software detail that an algorithm change in ASIC-mining brings about. Sergio Pastrana Portillo hands us a magnifying glass and explains the pickle in detail to Coinatory. “During our research, we have observed that algorithm updates considerably affected the various campaigns, since many wallets stopped mining since then. We believe this is due to the cost of maintaining bot-nets: each update requires miners to update their software, which is costly if you have to manage hundreds/thousands of machines (from an operational point of view) or if you have to purchase more installs in case of Pay-Per-Install (PPI) services (from an economic point of view).” The team asserts that the study identified various campaigns making use of such PPI services.
There are, of course, reasons beyond than these algorithm-switches that are abetting malicious mining. The researchers contend that ‘crypto mining malware has not been given enough attention by the industry and the research community and novel countermeasures are required’.
Indeed. A valid question.
If you ask Portillo, his guess is that this has something to do with the part that mining malware not has the same impact in Anti Virus clients as other malware such as ransomware or banking trojans. “Maybe the cost of maintaining signatures for all the potential crypto-mining malware is higher than the economic impact on their clients (which is nothing but a few increments in the electricity bill).” he quips.
What is also interesting here is the plastic that is peeling off from Monero. Is Monero suffering because of its strengths of being private, anonymous and easier-to-mine?
In the reckoning of Portillo, Monero does have three key properties that have attracted criminals. “One, it is anonymous, i.e. transactions cannot be traced back to the wallets. Two, it is anti-ASIC, which discourages mining with specialised hardware as in the case of BTC. This means that mining with conventional computers (CPU and GPU) becomes profitable since it does not depend on the hardware but in the hash rate (amount of hashes/second computed). Thus, the more computers (bots) mining, the more chances to get rewards.”
Then there is the financial carrot. “It became quite popular (and thus its market value increased up to nearly $500 by the end of 2017). Among other reasons, this was because it was accepted as a payment method in the (by then) most prominent DarkWeb marketplaces (now down).” He slices the carrort further.
Got it. So, how can the beast be tamed if pools do not ban illicit wallets? If algorithm-make-overs and private currencies are bringing a cobra-effect for illicit miners? Why is the community not asking for more transparency to nodes that act as pools?
While the bubbles settle down in a glass somewhere, bitter pills like these revelations and questions could work as that it-will-make-you-stronger poison. Swallow on.