Before we get into the details of “Cryptocurrency Mining Malware”, we need to understand first what cryptocurrency is and what miners are.
What is Cryptocurrency?
Cryptocurrency is best thought of as digital currency and it only exists on computers. It is transferred between peers (there is no middleman like a bank). Transactions are then recorded on a digital public ledger called the “blockchain”.
Transaction data and the ledger are encrypted using cryptography (which is why it is called “crypto” “currency”).
Cryptocurrency Main Features
Let’s dig into how cryptocurrency works.
Decentralized and Distributed
Cryptocurrencies are decentralized and distributed. Not a single entity can change any transaction because the blockchain is stored on multiple independent computers and the algorithms make sure that the records are not tampered with.
When a cryptocurrency transaction is made, that transaction is then distributed to all users hosting a copy of the blockchain.
Cryptocurrency Miners
Specific types of users, called miners, try to solve a cryptographic puzzle (using software). This lets them add a “block” of transactions to the ledger. These “blocks” of transactions are added sequentially by miners.
Whoever solves the puzzle first gets a few “newly mined” coins as a reward. They also get transaction fees paid by those who created the transactions.
Sometimes, miners pool computing power and share the new coins. The algorithm relies on consensus. If the majority of users trying to solve the puzzle all submit the same transaction data, then it confirms that the transactions are correct. Further, the security of the blockchain relies on cryptography.
People who are running software and hardware aimed at confirming transactions to the digital ledger are called cryptocurrency miners.
Solving cryptographic puzzles (via software) to add transactions to the ledger (the blockchain) in hopes of getting coins as a reward is called cryptocurrency mining.
Is Cryptocurrency a Game Changer?
Some politicians want us to live in a permission-based society, where you need to come to government, ask for its blessing before you can begin to even think about innovating. Those are the politicians that would rather kill it before it grows. However, there are others who believe in the vibrancy of ingenuity and innovation.
Some believe that cryptocurrency is part of the future. According to Patrick McHenry,U.S. Representative for North Carolina’s 10th congressional district:
“The reality is, change is here. Digital currencies exist. Blockchain technology is real. The world that Satoshi Nakamoto, author of Bitcoin whitepaper, envisioned (and others are building), is an unstoppable force.”
Others, don’t believe that cryptocurrency is a feasible option. Donald Trump, U.S President, (@realDonaldTrump) tweeted about cryptocurrencies:
I am not a fan of Bitcoin and other Cryptocurrencies, which are not money, and whose value is highly volatile and based on thin air. Unregulated Crypto Assets can facilitate unlawful behavior, including drug trade and other illegal activity….
— Donald J. Trump (@realDonaldTrump) July 12, 2019
Now that we have a basic understanding of cryptocurrencies, cryptomining, and how disruptive cryptocurrencies are, let’s dive into the nitty gritty of Cryptocurrency Mining Malware.
What is Cryptocurrency Mining Malware
Cryptocurrency mining malware is typically a very stealthy malware that farms the resources on a system (computers, smartphones, and other electronic devices connected to the internet) to generate revenue for the cyber criminals controlling it.
This type of malware mines cryptocurrencies on your system using your resources in such a way you wouldn’t know.
Browser-based Cryptocurrency Mining
Cyber criminals have turned to browser-based cryptocurrency mining to help them generate revenue from mining.
Browser-based cryptocurrency mining has been in use since 2011, but only recently has it become a widespread issue. It happened due to the explosive growth in cryptocurrency as well as the launch in 2017 of new browser-based cryptocurrency mining services like CoinHive and Crypto-Loot.
Binary Server-level Cryptominer
Unlike the browser-based JavaScript cryptominers that have been injected into a web page, a binary server-level cryptominer abuses server resources without affecting the computers or mobile devices of website visitors. Servers are usually more powerful than user devices so they can mine coins faster.
They secretly use the power of infected systems to mine for cryptocurrency, which is sent to the cyber criminal’s cryptocurrency wallet. The more systems that are infected, the more illicit profits the cyber criminals can make.
Cryptocurrency Mining Software
There is a plethora of cryptocurrency mining software out there, one of the most popular one was Coinhive.
Coinhive is a software service that packages all the tools needed to easily enable website owners for stealth scripting. It forces visitors into cryptocurrency mining while visiting their site—in most cases without any indication to the visitor. When this software is utilized to mine cryptocurrency using the website’s host or visitor’s system resources without their consent, it is considered another form of cryptocurrency mining malware
Note: Coinhive was shut down in March, 2019 and is no longer available.
The Price of Cryptocurrencies and Malware Infections
As the price of Monero (the cryptocurrency that JavaScript mines the most) and other cryptocurrencies rose, Sucuri saw an influx in the number of cyber criminals looking for opportunities to monetize on their growing popularity.
The price of Monero went up in 2017 and hit its peak in December. In that year alone, our research team identified over 7,000 websites compromised by bad actors to mine cryptocurrencies.
Then the price of the cryptocurrency decreased significantly, which is one of the reasons this type of malware is no longer as popular.
What’s the Difference Between Cryptocurrency Mining Software and Malware?
After Coinhive launched its first mining service, it allowed website owners to install coin miners using a simple snippet of JavaScript. The code worked in the background of website visitor’s browsers, utilizing any excess CPU power.
These cryptominers served as an alternative monetization method, but hackers almost immediately abused the code once they installed it on compromised websites.
The malware used in these cryptominer infections are cleverly modified to make it more difficult for webmasters to identify and cleanup. Attacks often pull payloads from a remote server, making it easy for attackers to rapidly modify the injected content on compromised websites.
What are Some Cryptocurrency Mining Malware Infection Methods?
Just like any malicious software, cryptocurrency mining malware can come in many forms. It can infect a user’s device through several means, such as clicking a malicious link, visiting a compromised website, downloading an infected application, downloading a malicious file, or installing an infected web browser extension. Some spread and infect other systems on the same network.
Basically, the cryptominers are different only in the way they affect website visitors. From the webmasters’ point of view, it’s not different from any other malware. So all generic techniques are valid.
In browser cryptomining malware has been on a decline for the last year. Right now, we aren’t seeing significant new infections. However, there are still some ongoing server-side binary cryptominers in the wild.
How Do You Prevent a System or Website From Being Infected by Cryptocurrency Mining Malware?
It’s important to be proactive and take steps to help reduce the risk of infection. While no one can promise that the risk will ever be zero, there are many things you can do to protect your system and/or your website.
Monitor your Website
Prevention basically comes in the form of “constant monitoring”. If your system or website starts to feel sluggish or slow, it is possible that one or both is infected. Take a quick glance at your system resource usage as you navigate through your website.
Verify if your CPU usage is high when browsing your monitored site. This test is only valid if no other sites are open, as they could contribute to the CPU usage too.
It’s important to run a virus scan on your system. Most antivirus software out there are pretty good at detecting these types of malware.
We have written an article to explain how to detect and remove cryptocurrency mining malware from your web host server.
Our incident response team addresses all types of website infections. There is no required installation or application changes. The team adds and configures all sites via the Sucuri dashboard. To enable the server-side scanning, a PHP agent is required at the root of the main domain.