Attackers Shift to Malware-Based CryptominersCryptocurrency Market Slide Makes In-Browser Mining Less Appealing
The rise of virtual currencies such as bitcoin and monero brought new risks to enterprises: attackers who seek to steal computing power in order to enrich themselves.
See Also: 2020 Global Threat Report
Although it may seem an offense that could be equated with taking extra pens or copy paper from the office, it can have negative impact: Poorly implemented cryptomining code can hamper a computer's performance.
These kinds of attacks - referred to as cryptojacking - use victim's computers to generate random hashes as part of the proof-of-work transaction systems for virtual currencies in return for a reward payment.
Plus, if the mining code has actually been loaded on an endpoint using a vulnerability or a phishing attack, it could be an entry point for more harmful code.
Last year, browser-based mining outpaced the malware-based variety by a ratio of two to one, writes Charles DeBeck, a strategic cyber threat analyst with IBM. But that's changing. Instead, it appears that threat actors favor trying to install mining code on computers.
"As our data shows, browser-based cryptojacking was big in 2018," DeBeck writes. "But as we moved into 2019, our data started showing a decline in that type of attack and a return to malware-based cryptojacking. A number of factors could be contributing to this shift."
IBM as well as other security companies have noticed that cryptojacking efforts have tapered as the value of virtual currencies has fallen. Since December 2017, when bitcoin peaked at around $20,000 per coin, the value of it and other cryptocurrencies has fallen 75 percent or more.
At first, such mining efforts escaped scrutiny by endpoint security software, although some vendors have now developed capabilities to notify users when it is happening.
"Since the browser is merely an application on a device, it cannot generate the same computing power as infecting the actual device," DeBeck writes. "As a result, this type of cryptojacking takes much longer to generate each coin, which may be incentivizing threat actors to refocus on malware infections to speed things up."
The project proved controversial because hackers inserted it into websites without permission. The code was freely available to install, but Coinhive took a 30 percent share of mining rewards even if it was on a hacked site, which some maintained was unethical.
"With Coinhive gone, threat actors would have to go to other script providers," DeBeck writes. "While there are many other providers of the same sort of scripts, the removal of Coinhive could affect the overall ability of the technically unskilled to create web-based cryptojacking attacks."
The Next Stage: Fileless
But if cryptomining proves meddlesome, admins can also restrict outbound calls to known crytomining "pools," the term for groups that combine their mining power and collectively share payouts. Threat intel providers are a source for that data.
IBM is predicting that cryptomining will evolve. To wit: GhostMiner, which is a fileless miner that resides only in memory.
"It uses PowerShell evasion scripts that allow it to run from memory without leaving any files on the victim's devices," according to IBM's X-Force Intelligence Threat Index 2019, which was released in February. "It contains advanced process-killing functions, executed via PowerShell, to detect and eliminate other coin-mining infections that may be present on the same device, so it can maintain exclusive access to system processing power."
Going fileless and relying on scripts makes defense harder, as it may be possible to evade AV detection, IBM says. This PowerShell approach, often referred to "living off the land" because it doesn't involve the introduction of other code, has proved tough for organizations to defend against, particularly when attackers use this method to laterally move through systems.