Remember cryptojacking? All the rage in 2017 and 2018, it largely died a quiet death in 2019 after the shutdown of cryptocurrency mining service CoinHive. Here in 2021, it seems to be coming back with a vengeance.
During the last year, though, malicious cryptomining has seen a resurgence, with NTT's 2021 Global Threat Intelligence Report, published this month, revealing that cryptominers have now overtaken spyware as the world's most common malware.
Cryptominers, says NTT, made up 41% of all detected malware in 2020, and were most widely found in Europe, the Middle East, Africa and the Americas. The most common coinminer variant was XMRig, which infects a user’s computer to mine Monero, accounting for 82% of all mining activity. Others included Cryptominer and XMR-Stak.
Coin miners accounted for nearly a quarter of all malware in the US and three quarters in Europe, the Middle East and Africa. Indeed, they were the most detected form of malware in the UK and Ireland, Germany and the Benelux countries.
"While coin miners are not inherently destructive, their presence can put a significant strain on system resources, potentially leading to machines overheating or performing poorly," the researchers say.
"The presence of coin miners can also alert threat actors to vulnerabilities in systems, leading to further, more malicious, exploitation."
Criminals are able to make a victim's computer mine cryptocurrencies in two ways: by using phishing techniques to persuade them to install the cryptomining script, or by injecting a script on a website or ad.
And as cryptocurrency values rise, the incentive to do so is increasing.
Microsoft Exchange attacks
Last month, for example, researchers at Sophos found that an unknown attacker had been attempting to place a malicious Monero cryptominer on Microsoft Exchange servers. The criminals were quick off the mark, with the money starting to roll in just days after Microsoft revealed that Exchange was vulnerable.
Cyberreason, too, found a number of infections of the Prometei Botnet within companies in North America, again exploiting Microsoft Exchange vulnerabilities.
And other examples over the last year include a cryptojacking scheme uncovered by Palo Alto Networks that used Docker images on the Docker Hub network to deliver cryptomining software to victims' systems. One wallet used by the criminals netted $36,000.
Meanwhile, a recently-discovered cryptomining botnet has been actively scanning for vulnerable Windows and Linux enterprise servers and infecting them with the XMRig miner and malware.
Cryptojackers are ingenious: according to Darktrace, devices hijacked for cryptomining have included a spectrometer and even a server in charge of opening and closing a biometric door.
The industry is fighting back, with Microsoft and Intel recently teaming up to protect Windows 10 users from cryptojacking by putting Intel Threat Detection Technology (TDT) inside Microsoft Defender for Endpoint.
“As organizations look to simplify their security investments, built-in platform-based security technologies, such as the integration of Intel TDT with Microsoft Defender for Endpoint, combine best of breed in a streamlined solution,” says Karthik Selvaraj, principal security research manager at Microsoft.
Meanwhile, antivirus vendors are adding mining detection to their products.
Organizations are advised to keep staff alert to the danger of phishing, use anti-cryptomining extensions on web browsers and choose antivirus protection that can detect cryptominers.