Endpoint

3/13/2018
05:48 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Microsoft Report Details Different Forms of Cryptominers

A new report explores different ways legitimate and malicious coin miners are appearing in the enterprise.

The future of digital currencies may be ambiguous, but their effect on cybercrime is crystal-clear. Cryptocurrencies have changed criminals' motivation and the nature of cyberattacks.

As consumers explored the new frontier of digital wealth, so too have cybercriminals and malware developers. Both the anonymity and sharp value increase of cryptocurrency appeal to threat actors, who have most notably used Bitcoin to extort funds from ransomware victims.

Criminal activity related to cryptocurrency has driven a surge in different forms of cryptocurrency miners, otherwise known as cryptominers or coin miners. Microsoft's Alden Pornasdoro, Michael Johnson, and Eric Avena, all with the Windows Defender Research team, have published a new report on the rise of various coin miners and their enterprise presence.

"Mining is the process of running complex mathematical calculations necessary to maintain the blockchain ledger," the researchers explain. It's not malicious, but it does require hefty computing resources to generate coins. Many people and businesses invest in the equipment to legitimately do it. Some people don’t want to make this infrastructure investment, and instead explore ways to use coin mining code to tap into the computing resources of somebody else’s devices.

For cybercriminals, this is a chance to build coin miners and use them nefariously. The researchers' report digs into the details of coin mining malware, web-based mining scripts, and legitimate but unauthorized cryptomining applications, and how they are deployed and used.

Trojanized coin miners

Oftentimes, cybercriminals change existing cryptominers and drop them on target computers using malware, social engineering, and exploits. Between Sept. 2017 and Jan. 2018, an average of 644,000 machines encountered coin mining malware each month, Microsoft states. Some are more sophisticated than others, using exploits or self-distributing malware to spread.

"The vast majority of attacks are financially motivated and based on the return-on-investment for attackers," says Kevin Epstein, vice president of Threat Operations at Proofpoint. As ransomware campaigns have proven less lucrative amid growing consumer awareness, many criminals are turning to cryptominers and integrating coin mining into Trojans to make money.

Exploit kits, once used to mainly deploy banking Trojans and, most recently, ransomware, are now used to spread coin miners. Researchers point to the example of DDE exploits: One sample of the malware is delivered as a malicious Word document that launches a PowerShell script and downloads a Trojanized version of Monero cryptominer XMRig. Some criminals use social engineering: one malicious file called "flashupdate," disguised as Flash Player, also uses an altered version of XMRig. 

Once a coin miner makes its way onto a target machine, it aims to stay there.

"For cryptocurrency miners, persistence is a key element," Microsoft researchers explain. "The longer they stay memory-resident and undetected, the longer they can mine using stolen computer resources." Criminals use scheduled tasks, autostart registry entries, code injection, and other fileless techniques to maintain their presence by evading detection.

Browser-based miners

Some coin-mining scripts are hosted on websites, a trend also known as "cryptojacking" that has increased amid the interest in cryptocurrency. These websites mine coins using the computing power of people who visit. Some sites prompt visitors to run the script; others do not.

To keep people from leaving, some of these malicious sites host video streams. Researchers have also found tech support scam sites that double as coin miners. Visitors are distracted with pop-ups and stay on the site as criminals mine coins in the background.

Legitimate miners, illegitimate use

A growing enterprise problem is the presence of legitimate but unauthorized coin miners that people use in business environments because they don't want to use their resources at home. These drive energy consumption and costs, and are tougher for security teams to detect because they don't arrive through traditional infection vectors.

Microsoft reports in 2018, Windows enterprise users running potentially unwanted application (PUA) protection saw coin miners on more than 1,800 enterprise machines. The number is expected to increase as organizations keep a closer eye out for these programs.

PUAs are different from Trojanized miners, which are considered malware, and "unwanted software," which are considered harmful because they change Windows without users' control. PUA protection, enabled by default in the System Center Configuration Manager, can be configured by security admins with PowerShell cmdlets or Microsoft Intune.

Windows Defender antivirus blocks PUAs when users attempt to install programs meeting certain conditions, researchers explain. These mostly include software bundling programs, browser modifiers, and programs with poor reputations. They increasingly include coin miners, which made up 2% of PUAs in Sept. 2017 and 6% of PUAs in Jan. 2018.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here#InteropITX 2018 Early Bird Rates Expire March 16. Use Promo Code 200KS to Save an Extra $200.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly22
50%
50%
Kelly22,
User Rank: Author
3/16/2018 | 9:41:13 AM
Re: Link to Report
Apologies, will update with the link but in the meantime, you can find it here: https://cloudblogs.microsoft.com/microsoftsecure/2018/03/13/invisible-resource-thieves-the-increasing-threat-of-cryptocurrency-miners/
4u2dcy4
50%
50%
4u2dcy4,
User Rank: Apprentice
3/16/2018 | 8:30:08 AM
Link to Report
Disappointed there is no link to the cited Microsoft report.
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Australian Teen Hacked Apple Network
Dark Reading Staff 8/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15504
PUBLISHED: 2018-08-18
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. The server mishandles some HTTP request fields associated with time, which results in a NULL pointer dereference, as demonstrated by If-Modified-Since or If-Unmodified-Since with a month greater than 11.
CVE-2018-15505
PUBLISHED: 2018-08-18
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. An HTTP POST request with a specially crafted "Host" header field may cause a NULL pointer dereference and thus cause a denial of service, as demonstrated by the lack of a trailing ']' character in an IPv6 a...
CVE-2018-15492
PUBLISHED: 2018-08-18
A vulnerability in the lservnt.exe component of Sentinel License Manager version 8.5.3.35 (fixed in 8.5.3.2403) causes UDP amplification.
CVE-2018-15494
PUBLISHED: 2018-08-18
In Dojo Toolkit before 1.14, there is unescaped string injection in dojox/Grid/DataGrid.
CVE-2018-15495
PUBLISHED: 2018-08-18
/filemanager/upload.php in Responsive FileManager before 9.13.3 allows Directory Traversal and SSRF because the url parameter is used directly in a curl_exec call, as demonstrated by a file:///etc/passwd value.