Cybercriminals are always looking for new ways to compromise devices. The name of the game is monetary gain: threat actors aim for cost-effectiveness, seeking the highest return for the least amount of effort and risk.
From Malware to Mining
Typically, malware is intended to steal sensitive information, spy on users, record their actions, or take control of their devices. The longer it stays undetected, the more effective it is; in many cases, malware can operate without being discovered for weeks, months or even years. A report from the Ponemon Institute identified the average dwell time in 2017 was 191 days.
Over the past few years, though, threat actors have increasingly turned to ransomware as a highly effective option. Unlike “traditional” malware, ransomware announces itself to the user in no uncertain terms with a dire ransom note intended to scare and shock. In other words, it is essential to its success that it does not stay undetected at all.
For attackers, ransomware has some key advantages: instead of looking for buyers of credit card information on the dark web, they can get their bitcoin wallets filled up by the small percentage of victims they manage to infect, and that can add up to a lot. Some ransomware campaigns even offer invoicing and call centers to help their victims complete their payments. Profit isn’t the only reward, either: dealing with bitcoin lowers the risk attackers take by reducing interactions.
Sounds ideal, except for one major problem: it’s effectiveness also diminishes as soon as it ends up on public feeds. If the ransomware’s signature is detected two days after release, the attackers ROI (return on investment) may be significantly less than expected, or even negligible. Like anyone else running a highly profitable business, cybercriminals need to constantly find new ways to fulfill their financial targets. Enter, the new kid on the block: Cryptojacking.
The Lure of Cryptomining
Cryptomining operations have become increasingly popular, now consuming almost half a percent of the world’s electricity consumption. Although prone to sharp fluctuations and currently on a downward trend, the price of Bitcoin remains at over $6400 at the time of writing.
With such value, cybercriminals have strong incentives to generate bitcoins, and Cryptomining with someone else’s resources – Cryptojacking – is an almost risk-free enterprise. Infecting 10 machines with a Cryptominer could net around $100/day, so the challenge for Cryptojackers is two-fold: first, infect as many machines as possible; and second, unlike ransomware and more akin to traditional malware, stay hidden for as long as possible.
Solving the problem of volume and longevity is easier with a veneer of legitimacy: some have established it as a business model, like PirateBay. Others have even claimed it can replace or be used alongside advertisements to generate revenue from users. Even software developers have tried to get in on the act. In March 2018, Apple’s App Store briefly carried a version of a free app called ‘Calendar 2’ that mined Monero crypto-currency while it ran. It reportedly made $2000 in 2 days before Apple pulled it from the App Store.
While some home users may seek to install Cryptomining software for themselves, ordinary consumer-grade hardware is not really up to the job of bitcoin mining profitably, unless a large number of them are harnessed together: perfect for a botnet, and perfect for websites with plenty of traffic and no compunction about stealing their users processing power and electricity to generate profits for the website owners. This unwanted or unintentional Cryptomining is what we now refer to as Cryptojacking.
Characteristics of Cryptojacking
Cryptojackers use similar techniques as malware to sneak on to an endpoint: drive-by downloads, phishing campaigns, in-browser vulnerabilities, and browser plugins to name a few. Always, of course, they rely on the weakest link – the people – via social engineering techniques.
The code can specify how much of the user’s CPU resource to use and even how many tabs the miner should run in.
How to Know If You Are Infected
This is the tricky part; many Cryptominers go to great lengths to stay undetected by both automated software and end users.
As we have seen, Cryptominers are interested in your processing power, and Cryptojackers have to trade off stealth against profit. How much of your CPU resources they take is up to them – less makes it harder for unsuspecting users to notice, more increases their profits. In either case, there will be a performance impact, but if the threshold is low enough it could be a challenge to distinguish the miner from legitimate software.
Enterprise administrators may look for unknown processes in their environment, and end users on Windows should spawn up a Sysinternals process explorer to see what they are running. Linux and macOS users should investigate System Monitor and Activity Monitor, respectively, for the same reason.
More advanced users should be able to notice increased network traffic. If you are a SentinelOne customer already, you can use Deep Visibility to spot suspicious domains.
How to Defend Against Cryptominers
Deploy an endpoint security product, but ensure it has behavioural detection also. Cryptominers can operate in the browser, so a legacy solution that relies on file-based malware would be blind to that.
As we have seen, the infection vectors for Cryptojacking are similar to other malware, so use a robust endpoint solution like SentinelOne to protect your endpoints from infection.
Secondly, as the behaviour of Cryptominers is not very different from legitimate software, detection needs to be done well so as to avoid false detections. Over time, SentinelOne’s multiple AI engines have been able to detect and automatically respond to several families of cryptojacking across platforms.