Malware that hijacks computer systems and uses their CPU cycles to mine cryptocurrencies is moving up the list of popular attacks by cyber-criminals, according to security software firm Fortinet. This type of virtual currency mining malware is also known as "cryptojacking."
In a recent Global Threat Landscape Report released by Fortinet’s FortiGuard Labs this month, Fortinet officials noted that virtual currency mining malware impacted 28 percent of companies in the first quarter this year, more than doubling the 13 percent of organizations that were hit in the last three months of 2017. At the same time, virtual currency mining malware is broadening its reach, targeting not only multiple operating systems but also various cryptocurrencies, such as BitCoin, Monero and Dash.
In addition, cryptojacking malware is evolving its delivery methods and, in one instance, is leveraging the BlueEternal exploit that was key in last year’s high-profile WannaCry ransomware attacks in a cryptojacking campaigned called WannaMine.
The rise of virtual currency mining malware in the Fortinet report mirrored what other security firms have found. In its Global Threat Index, Check Point Software officials said that the incidents of such malware have skyrocketed since the end of 2017 and are now targeting unpatched vulnerabilities in Windows and Oracle servers. In addition, in a blog post in February, Jerome Segura, lead malware intelligence analyst for MalwareBytes Labs, wrote that “ever since September 2017, malicious cryptomining has been our top detection overall.”
It’s no surprise that cyber-criminals are turning their focus to cryptojacking, and the industry should expect innovation and investment in this area to continue, according to Anthony Giandomenico, senior security strategist and researcher at FortiGuard Labs.
“Globally, cryptominers are rapidly increasing and spreading for an obvious reason: It’s lucrative,” Giandomenico told ITProToday in an email. “Threat actors are also riding this wave by using different kind of attacks to compromise not only personal computer but also servers. They are looking for powerful CPU resources to mine cryptocurrencies, such as Monero (XMR), among others, as fast as they can. The more infected machines they can get mining for them, the more money they can make.”
Ransomware--which was a key focus of cyber-criminals and security researchers alike last year following the high-profile WannaCry worm and subsequent attacks like BadRabbit and Olympic Destroyer--is still causing trouble in networks around the world, especially in such industries as healthcare, financial services and education, according to FortiGuard Labs’ report. Ransomware like GandCrab, BlackRuby and SamSam were major threats in the early months of 2018.
However, cryptojacking increasingly seems to be the malware of choice, with attackers deciding it’s more profitable to hijack computers and use them for cryptocurrency mining than to hold them for ransom.
“Unlike ransomware that is focused on ransom, cryptomining malware is about getting a script into a machine to mine for cryptocurrencies,” Giandomenico said. “It is harder to detect and they can usually stay in the systems a lot longer and enjoy the use of the CPU to mine for crypto-currencies. The volume is getting higher because it’s a volume game. The more systems you can recruit the better your chances are of verifying the transaction and making money.”
Cryptojacking malware also is “showing incredible diversity for such a relatively new threat,” he said. Not only are attackers targeting multiple operating systems and mining disparate cryptocurrencies, but the delivery methods are diversifying. These include injecting malicious JavaScript into vulnerable websites or delivering it through phishing campaigns.
“Fileless JavaScript variants have been able to embed malicious code into legitimate web pages to compromise visiting devices,” Giandomenico said. “Simply browsing an infected site can enable attackers to hijack CPU cycles to perform cryptomining on behalf of a cybercriminal.”
One aspect that makes cryptojacking attractive to threat actors is that it is much less noisy than ransomware, which became obvious once the malware was activated and required that victims pay a ransom before receiving decryption keys for their data. By contrast, cryptojacking malware runs in the background, stealing CPU cycles to fuel its cryptomining activities. However, such work can slow down a system or impact how applications are running. Users worried that such malware is running on their systems can start by checking the Task Manager in Windows, Activity Monitor on Macs and “top” on the Linux command line. Through these tools, users also can list all the processes running on their systems and delete whatever is consuming resources, Giandomenico said.
