While the presence of cryptocurrencies that don’t rely on specialized hardware is great for the decentralization of blockchain networks, it presents the opportunity for bad actors to commandeer the hardware of others to mine GPU or CPU cryptos for them — a process known as cryptojacking.
The Bitcoin mining industry is currently driven by specialized, costly ASIC hardware that is slowly pushing smaller-scale miners and hobbyists out of the market — but that doesn’t mean it’s not possible to generate profit by mining GPU or CPU-friendly cryptocurrencies, some of which offer higher mining profit margins than Bitcoin and Ethereum.
There are now many preventative security measures in place that prevent unsuspecting internet browsers from unwittingly dedicating CPU cycles to cryptojackers. Simple browser extensions can now prevent in-browser cryptojacking, while major cybersecurity software platforms now integrate anti-cryptojacking countermeasures.
An increase in the availability of cryptojacking countermeasures, however, has forced cryptojackers to develop new vectors of attack in order to generate cryptocurrency for free. In Q1 2019, we’ve observed a number of novel new ways in which cryptojackers are targeting — and accessing — the hardware of unsuspecting users.
Windows App Store Seeded With Cryptojacking Apps
In February 2019, Microsoft removed eight windows 10 applications from the official Windows 10 App Store subsequent to a Symantec analysis that revealed the presence of cryptojacking activity.
Announced by Symantec Threat Intelligence on February 15, the removed apps were identified as surreptitious CPU miners that used the hardware of Windows 10 user to mine Monero, one of the most popular CPU-friendly ASIC-resistant cryptocurrencies.
The architecture of the cryptojacking apps reveal a step forward in complexity over traditional cryptojacking attempts — subsequent to download, the apps fetched a mining JavaScript library by triggering Google Tag Manager on their domain servers. The mining script was then activated, stealing the majority of the user’s CPU power to mine Monero.
Chinese Mining Malware Targets Linux Servers
A sophisticated group of cyber-criminals purportedly operating from China discovered by cybersecurity firm Intezer have been observed hacking into Linux servers in order to install mining malware.
Intezer researchers published an extensive report into the Antd miner first observed on September 18, 2018, largely operating from compromised third party Linux servers. Labeled as the “Pacha Group,” the threat actors leveraged brute-force attacks in order to access WordPress and PhpMyAdmin services and subsequently access the underlying server.
The Antd malware instance is a variant of XMRig, using the Stratum mining protocol. As Antd adds a Systemd service that mimics the legitimate mandb service, it’s unlikely that investigators will identify the threat unless they are specifically seeking it.
Docker Hosts Exploited by Monero Cryptojackers
Docker is a highly popular system level virtualization service that is used extensively across a broad spectrum of enterprise organizations and production hosts to develop and run applications inside containers. Research published by Imperva in early March indicates that a new vulnerability, when combined with an exposed remote Docker API, can lead to a compromised host.
Imperva’s report reveals that the vulnerability has allow hundreds of attackers to take advantage of compromised hosts in order to run Monero mining operations, leveraging large-scale enterprise systems for financial gain.
