How the Rise of Cryptocurrencies Is Shaping the Cyber Crime Landscape: The Growth of Miners


Cyber criminals tend to favor cryptocurrencies because they provide
a certain level of anonymity and can be easily monetized. This interest
has increased in recent years
, stemming far beyond the desire to
simply use cryptocurrencies as a method of payment for illicit tools
and services. Many actors have also attempted to capitalize on the
growing popularity of cryptocurrencies, and subsequent rising price,
by conducting various operations aimed at them. These operations
include malicious cryptocurrency mining (also referred to as
cryptojacking), the collection of cryptocurrency wallet credentials,
extortion activity, and the targeting of cryptocurrency exchanges.

This blog post discusses the various trends that we have been
observing related to cryptojacking activity, including cryptojacking
modules being added to popular malware families, an increase in
drive-by cryptomining attacks, the use of mobile apps containing
cryptojacking code, cryptojacking as a threat to critical
infrastructure, and observed distribution mechanisms.

What Is Mining?

As transactions occur on a blockchain, those transactions must be
validated and propagated across the network. As computers connected to
the blockchain network (aka nodes) validate and propagate the
transactions across the network, the miners include those transactions
into “blocks” so that they can be added onto the chain. Each
block is cryptographically hashed, and must include the hash of the
previous block, thus forming the “chain” in blockchain. In
order for miners to compute the complex hashing of each valid block,
they must use a machine’s computational resources. The more blocks
that are mined, the more resource-intensive solving the hash becomes.
To overcome this, and accelerate the mining process, many miners will
join collections of computers called “pools” that work
together to calculate the block hashes. The more computational
resources a pool harnesses, the greater the pool’s chance of mining a
new block. When a new block is mined, the pool’s participants are
rewarded with coins. Figure 1 illustrates the roles miners play in the
blockchain network.

Figure 1: The role of miners

Underground Interest

FireEye iSIGHT Intelligence has identified eCrime actor interest in
cryptocurrency mining-related topics dating back to at least 2009
within underground communities. Keywords that yielded significant
volumes include miner, cryptonight, stratum, xmrig, and cpuminer.
While searches for certain keywords fail to provide context, the
frequency of these cryptocurrency mining-related keywords shows a
sharp increase in conversations beginning in 2017 (Figure 2). It is
probable that at least a subset of actors prefer cryptojacking over
other types of financially motivated operations due to the perception
that it does not attract as much attention from law enforcement.

Figure 2: Underground keyword mentions

Monero Is King

The majority of recent cryptojacking operations have overwhelmingly
focused on mining Monero, an open-source cryptocurrency based on the
CryptoNote protocol, as a fork of Bytecoin. Unlike many
cryptocurrencies, Monero uses a unique technology called “ring
signatures,” which shuffles users’ public keys to eliminate the
possibility of identifying a particular user, ensuring it is
untraceable. Monero also employs a protocol that generates multiple,
unique single-use addresses that can only be associated with the
payment recipient and are unfeasible to be revealed through blockchain
analysis, ensuring that Monero transactions are unable to be linked
while also being cryptographically secure.

The Monero blockchain also uses what’s called a
“memory-hard” hashing algorithm called CryptoNight and,
unlike Bitcoin’s SHA-256 algorithm, it deters application-specific
integrated circuit (ASIC) chip mining. This feature is critical to the
Monero developers and allows for CPU mining to remain feasible and
profitable. Due to these inherent privacy-focused features and
CPU-mining profitability, Monero has become an attractive option for
cyber criminals.

Underground Advertisements for Miners

Because most miner utilities are small, open-sourced tools, many
criminals rely on crypters. Crypters are tools that employ encryption,
obfuscation, and code manipulation techniques to keep their tools and
malware fully undetectable (FUD). Table 1 highlights some of the most
commonly repurposed Monero miner utilities.

XMR Mining Utilities











Table 1: Commonly used Monero miner utilities

The following are sample advertisements for miner utilities commonly
observed in underground forums and markets. Advertisements typically
range from stand-alone miner utilities to those bundled with other
functions, such as credential harvesters, remote administration tool
(RAT) behavior, USB spreaders, and distributed denial-of-service
(DDoS) capabilities.

Sample Advertisement #1 (Smart Miner + Builder)

In early April 2018, actor “Mon£y” was observed by FireEye
iSIGHT Intelligence selling a Monero miner for $80 USD – payable via
Bitcoin, Bitcoin Cash, Ether, Litecoin, or Monero – that included
unlimited builds, free automatic updates, and 24/7 support. The tool,
dubbed Monero Madness (Figure 3), featured a setting called Madness
Mode that configures the miner to only run when the infected machine
is idle for at least 60 seconds. This allows the miner to work at its
full potential without running the risk of being identified by the
user. According to the actor, Monero Madness also provides the
following features:

  • Unlimited builds
  • Builder GUI (Figure 4)
  • Written in AutoIT (no
  • FUD
  • Safer error handling
  • Uses
    most recent XMRig code
  • Customizable pool/port
  • Packed with UPX
  • Works on all Windows OS (32- and
  • Madness Mode option

Figure 3: Monero Madness

Figure 4: Monero Madness builder

Sample Advertisement #2 (Miner + Telegram Bot Builder)

In March 2018, FireEye iSIGHT Intelligence observed actor
“kent9876” advertising a Monero cryptocurrency miner called
Goldig Miner (Figure 5). The actor requested payment of $23 USD for
either CPU or GPU build or $50 USD for both. Payments could be made
with Bitcoin, Ether, Litecoin, Dash, or PayPal. The miner ostensibly
offers the following features:

  • Written in C/C++
  • Build size is small (about 100–150 kB)
  • Hides miner
    process from popular task managers
  • Can run without
    Administrator privileges (user-mode)
  • Auto-update
  • All data encoded with 256-bit key
  • Access to
    Telegram bot-builder
  • Lifetime support (24/7) via

Figure 5: Goldig Miner advertisement

Sample Advertisement #3 (Miner + Credential Stealer)

In March 2018, FireEye iSIGHT Intelligence observed actor
“TH3FR3D” offering a tool dubbed Felix (Figure 6) that
combines a cryptocurrency miner and credential stealer. The actor
requested payment of $50 USD payable via Bitcoin or Ether. According
to the advertisement, the Felix tool boasted the following features:

  • Written in C# (Version
  • Browser stealer for all major browsers (cookies,
    saved passwords, auto-fill)
  • Monero miner (uses pool by default, but can be configured)
  • Filezilla stealer
  • Desktop file grabber (.txt and
  • Can download and execute files
  • Update
  • USB spreader functionality
  • PHP web

Figure 6: Felix HTTP

Sample Advertisement #4 (Miner + RAT)

In January 2018, FireEye iSIGHT Intelligence observed actor
“ups” selling a miner for any Cryptonight-based
cryptocurrency (e.g., Monero and Dashcoin) for either Linux or Windows
operating systems. In addition to being a miner, the tool allegedly
provides local privilege escalation through the CVE-2016-0099
exploit, can download and execute remote files, and receive commands.
Buyers could purchase the Windows or Linux tool for €200 EUR, or €325
EUR for both the Linux and Windows builds, payable via Monero,
bitcoin, ether, or dash. According to the actor, the tool offered the following:

Windows Build Specifics

  • Written in C++ (no
  • Miner component based on XMRig
  • Easy
    cryptor and VPS hosting options
  • Web panel (Figure 7)
  • Uses TLS for secured communication
  • Download and
  • Auto-update ability
  • Cleanup routine
  • Receive remote commands
  • Perform privilege
  • Features “game mode” (mining stops if
    user plays game)
  • Proxy feature (based on XMRig)
  • Support (for €20/month)
  • Kills other miners from
  • Hidden from TaskManager
  • Configurable pool,
    coin, and wallet (via panel)
  • Can mine the following
    Cryptonight-based coins:
    • Monero
    • Bytecoin
    • Electroneum
    • DigitalNote
    • Karbowanec
    • Sumokoin
    • Fantomcoin
    • Dinastycoin
    • Dashcoin
    • LeviarCoin
    • BipCoin
    • QuazarCoin
    • Bitcedi

Linux Build Specifics

  • Issues running on Linux
    servers (higher performance on desktop OS)
  • Compatible with
    AMD64 processors on Ubuntu, Debian, Mint (support for CentOS

Figure 7: Miner bot web panel

Sample Advertisement #5 (Miner + USB Spreader + DDoS Tool)

In August 2017, actor “MeatyBanana” was observed by
FireEye iSIGHT Intelligence selling a Monero miner utility that
included the ability to download and execute files and perform DDoS
attacks. The actor offered the software for $30 USD, payable via
Bitcoin. Ostensibly, the tool works with CPUs only and offers the
following features:

  • Configurable miner pool
    and port (default to minergate)
  • Compatible with both 64-
    and 86-bit Windows OS
  • Hides from the following popular task
  • Windows Task Manager
  • Process Killer
  • KillProcess
  • System Explorer
  • Process
  • AnVir
  • Process Hacker
  • Masked as a
    system driver
  • Does not require administrator
  • No dependencies
  • Registry persistence
  • Ability to perform “tasks” (download and
    execute files, navigate to a site, and perform DDoS)
  • USB
  • Support after purchase

The Cost of Cryptojacking

The presence of mining software on a network can generate costs on
three fronts as the miner surreptitiously allocates resources:

  1. Degradation in system
  2. Increased cost in electricity
  3. Potential
    exposure of security holes

Cryptojacking targets computer processing power, which can lead to
high CPU load and degraded performance. In extreme cases, CPU overload
may even cause the operating system to crash. Infected machines may
also attempt to infect neighboring machines and therefore generate
large amounts of traffic that can overload victims’ computer networks.

In the case of operational technology (OT) networks, the
consequences could be severe. Supervisory control and data
acquisition/industrial control systems (SCADA/ICS) environments
predominately rely on decades-old hardware and low-bandwidth networks,
therefore even a slight increase in CPU load or the network could
leave industrial infrastructures unresponsive, impeding operators from
interacting with the controlled process in real-time.

The electricity cost, measured in kilowatt hour (kWh), is dependent
upon several factors: how often the malicious miner software is
configured to run, how many threads it’s configured to use while
running, and the number of machines mining on the victim’s network.
The cost per kWh is also highly variable and depends on geolocation.
For example, security researchers who ran Coinhive on a machine for 24
hours found that the electrical consumption was 1.212kWh. They
estimated that this equated to electrical costs per month of $10.50
USD in the United States, $5.45 USD in Singapore, and $12.30 USD in Germany.

Cryptojacking can also highlight often overlooked security holes in
a company’s network. Organizations infected with cryptomining malware
are also likely vulnerable to more severe exploits and attacks,
ranging from ransomware to ICS-specific malware such as TRITON.

Cryptocurrency Miner Distribution Techniques

In order to maximize profits, cyber criminals widely disseminate
their miners using various techniques such as incorporating
cryptojacking modules into existing botnets, drive-by cryptomining
attacks, the use of mobile apps containing cryptojacking code, and
distributing cryptojacking utilities via spam and self-propagating
utilities. Threat actors can use cryptojacking to affect numerous
devices and secretly siphon their computing power. Some of the most
commonly observed devices targeted by these cryptojacking schemes are:

  • User endpoint
  • Enterprise servers
  • Websites
  • Mobile
  • Industrial control systems
Cryptojacking in the Cloud

Private sector companies and governments alike are increasingly moving
their data and applications to the cloud
, and cyber threat
groups have been moving with them. Recently, there have been various
reports of actors conducting cryptocurrency mining operations
specifically targeting cloud infrastructure. Cloud infrastructure is
increasingly a target for cryptojacking operations because it offers
actors an attack surface with large amounts of processing power in an
environment where CPU usage and electricity costs are already expected
to be high, thus allowing their operations to potentially go
unnoticed. We assess with high confidence that threat actors will
continue to target enterprise cloud networks in efforts to harness
their collective computational resources for the foreseeable future.

The following are some real-world examples of cryptojacking in the cloud:

  • In February 2018, FireEye
    researchers published a blog detailing various techniques actors
    used in order to deliver malicious miner payloads (specifically to
    vulnerable Oracle servers) by abusing CVE-2017-10271. Refer to our
    blog post for more detailed information regarding the post-exploitation
    and pre-mining dissemination techniques
    used in those
  • In March 2018, Bleeping
    Computer reported
    on the trend of cryptocurrency mining
    campaigns moving to the cloud via vulnerable Docker and Kubernetes
    applications, which are two software tools used by developers to
    help scale a company’s cloud infrastructure. In most cases,
    successful attacks occur due to misconfigured applications and/or
    weak security controls and passwords.
  • In February 2018, Bleeping
    Computer also reported
    on hackers who breached Tesla’s cloud
    servers to mine Monero. Attackers identified a Kubernetes console
    that was not password protected, allowing them to discover login
    credentials for the broader Tesla Amazon Web services (AWS) S3 cloud
    environment. Once the attackers gained access to the AWS environment
    via the harvested credentials, they effectively launched their
    cryptojacking operations.
  • Reports of cryptojacking activity
    due to misconfigured AWS S3 cloud storage buckets have also been
    observed, as was the case in the LA
    Times online compromise
    in February 2018. The presence of
    vulnerable AWS S3 buckets allows anyone on the internet to access
    and change hosted content, including the ability to inject mining
    scripts or other malicious software.
Incorporation of Cryptojacking into Existing Botnets

FireEye iSIGHT Intelligence has observed multiple prominent botnets
such as Dridex and Trickbot incorporate cryptocurrency mining into
their existing operations. Many of these families are modular in
nature and have the ability to download and execute remote files, thus
allowing the operators to easily turn their infections into
cryptojacking bots. While these operations have traditionally been
aimed at credential theft (particularly of banking credentials),
adding mining modules or downloading secondary mining payloads
provides the operators another avenue to generate additional revenue
with little effort. This is especially true in cases where the victims
were deemed unprofitable or have already been exploited in the
original scheme.

The following are some real-world examples of cryptojacking being
incorporated into existing botnets:

  • In early February 2018,
    FireEye iSIGHT Intelligence observed Dridex botnet ID 2040 download
    a Monero cryptocurrency miner based on the open-source XMRig
  • On Feb. 12, 2018, FireEye iSIGHT Intelligence observed
    the banking malware IcedID injecting Monero-mining JavaScript into
    webpages for specific, targeted URLs. The IcedID injects launched an
    anonymous miner using the mining code from Coinhive’s AuthedMine.
  • In late 2017, Bleeping
    Computer reported
    that security researchers with Radware
    observed the hacking group CodeFork leveraging the popular
    downloader Andromeda (aka Gamarue) to distribute a miner module to
    their existing botnets.
  • In late 2017, FireEye researchers
    observed Trickbot operators deploy a new module named
    “testWormDLL” that is a statically compiled copy of the
    popular XMRig Monero miner.
  • On Aug. 29, 2017, Security
    Week reported
    on a variant of the popular Neutrino banking
    Trojan, including a Monero miner module. According to their
    reporting, the new variant no longer aims at stealing bank card
    data, but instead is limited to downloading and executing modules
    from a remote server.

Drive-By Cryptojacking


FireEye iSIGHT Intelligence has examined various customer reports of
browser-based cryptocurrency mining. Browser-based mining scripts have
been observed on compromised websites, third-party advertising
platforms, and have been legitimately placed on websites by
publishers. While coin mining scripts can be embedded directly into a
webpage’s source code, they are frequently loaded from third-party
websites. Identifying and detecting websites that have embedded coin
mining code can be difficult since not all coin mining scripts are
authorized by website publishers, such as in the case of a compromised
website. Further, in cases where coin mining scripts were authorized
by a website owner, they are not always clearly communicated to site
visitors. At the time of reporting, the most popular script being
deployed in the wild is Coinhive. Coinhive is an open-source
JavaScript library that, when loaded on a vulnerable website, can mine
Monero using the site visitor’s CPU resources, unbeknownst to the
user, as they browse the site.

The following are some real-world examples of Coinhive being
deployed in the wild:

  • In September 2017, Bleeping
    Computer reported
    that the authors of SafeBrowse, a Chrome
    extension with more than 140,000 users, had embedded the Coinhive
    script in the extension’s code that allowed for the mining of Monero
    using users’ computers and without getting their consent.
  • During mid-September 2017, users
    on Reddit
    began complaining about increased CPU usage when
    they navigated to a popular torrent site, The Pirate Bay (TPB). The
    spike in CPU usage was a result of Coinhive’s script being embedded
    within the site’s footer. According to TPB operators, it was
    implemented as a test to generate passive revenue for the site
    (Figure 8).
  • In December 2017, researchers with Sucuri
    on the presence of the Coinhive script being hosted on, which allows users to publish web pages directly from
    GitHub repositories.
  • Other reporting disclosed the Coinhive
    script being embedded on the Showtime
    as well as on the LA
    Times website
    , both surreptitiously mining Monero.
  • A
    majority of in-browser cryptojacking activity is transitory in
    nature and will last only as long as the user’s web browser is open.
    However, researchers
    with Malwarebytes Labs
    uncovered a technique that allows for
    continued mining activity even after the browser window is closed.
    The technique leverages a pop-under window surreptitiously hidden
    under the taskbar. As researchers pointed out, closing the browser
    window may not be enough to interrupt the activity, and that more
    advanced actions like running the Task Manager may be required.

Figure 8: Statement from TPB operators on
Coinhive script

Malvertising and Exploit Kits

Malvertisements – malicious ads on legitimate websites – commonly
redirect visitors of a site to an exploit kit landing page. These
landing pages are designed to scan a system for vulnerabilities,
exploit those vulnerabilities, and download and execute malicious code
onto the system. Notably, the malicious advertisements can be placed
on legitimate sites and visitors can become infected with little to no
user interaction. This distribution tactic is commonly used by threat
actors to widely distribute malware and has been employed in various
cryptocurrency mining operations.

The following are some real-world examples of this activity:

  • In early 2018, researchers
    with Trend Micro reported
    that a modified miner script was
    being disseminated across YouTube via Google’s DoubleClick ad
    delivery platform. The script was configured to generate a random
    number variable between 1 and 100, and when the variable was above
    10 it would launch the Coinhive script coinhive.min.js, which
    harnessed 80 percent of the CPU power to mine Monero. When the
    variable was below 10 it launched a modified Coinhive script that
    was also configured to harness 80 percent CPU power to mine Monero.
    This custom miner connected to the mining pool
    wss[:]//ws[.]l33tsite[.]info:8443, which was likely done to avoid
    Coinhive’s fees.
  • In April 2018, researchers with Trend
    also discovered a JavaScript code based on Coinhive
    injected into an AOL ad platform. The miner used the following
    private mining pools: wss[:]//wsX[.]www.datasecu[.]download/proxy
    and wss[:]//www[.]jqcdn[.]download:8893/proxy. Examination of other
    sites compromised by this campaign showed that in at least some
    cases the operators were hosting malicious content on unsecured AWS
    S3 buckets.
  • Since July 16, 2017, FireEye
    has observed
    the Neptune Exploit Kit redirect to ads for
    hiking clubs and MP3 converter domains. Payloads associated with the
    latter include Monero CPU miners that are surreptitiously installed
    on victims’ computers.
  • In January 2018, Check
    Point researchers
    discovered a malvertising campaign leading
    to the Rig Exploit Kit, which served the XMRig Monero miner utility
    to unsuspecting victims.

Mobile Cryptojacking

In addition to targeting enterprise servers and user machines,
threat actors have also targeted mobile devices for cryptojacking
operations. While this technique is less common, likely due to the
limited processing power afforded by mobile devices, cryptojacking on
mobile devices remains a threat as sustained power consumption can
damage the device and dramatically shorten the battery life. Threat
actors have been observed targeting mobile devices by hosting
malicious cryptojacking apps on popular app stores and through
drive-by malvertising campaigns that identify users of mobile browsers.

The following are some real-world examples of mobile devices being
used for cryptojacking:

  • During 2014, FireEye
    iSIGHT Intelligence reported on multiple Android malware apps
    capable of mining cryptocurrency:
    • In March 2014, Android
      malware named “CoinKrypt” was discovered, which mined
      Litecoin, Dogecoin, and CasinoCoin currencies.
    • In March
      2014, another form of Android malware –
      “Android.Trojan.MuchSad.A” or
      “ANDROIDOS_KAGECOIN.HBT” – was observed mining
      Bitcoin, Litecoin, and Dogecoin currencies. The malware was
      disguised as copies of popular applications, including
      “Football Manager Handheld” and “TuneIn
      Radio.” Variants of this malware have reportedly been
      downloaded by millions of Google Play users.
    • In April
      2014, Android malware named “BadLepricon,” which mined
      Bitcoin, was identified. The malware was reportedly being
      bundled into wallpaper applications hosted on the Google Play
      store, at least several of which received 100 to 500
      installations before being removed.
    • In October 2014, a
      type of mobile malware called “Android Slave” was
      observed in China; the malware was reportedly capable of mining
      multiple virtual currencies.
  • In December
    2017, researchers
    with Kaspersky Labs reported
    on a new multi-faceted Android
    malware capable of a variety of actions including mining
    cryptocurrencies and launching DDoS attacks. The resource load
    created by the malware has reportedly been high enough that it can
    cause the battery to bulge and physically destroy the device. The
    malware, dubbed Loapi, is unique in the breadth of its potential
    actions. It has a modular framework that includes modules for
    malicious advertising, texting, web crawling, Monero mining, and
    other activities. Loapi is thought to be the work of the same
    developers behind the 2015 Android malware Podec, and is usually
    disguised as an anti-virus app.
  • In January 2018, SophosLabs
    released a report
    detailing their discovery of 19 mobile apps
    hosted on Google Play that contained embedded Coinhive-based
    cryptojacking code, some of which were downloaded anywhere from
    100,000 to 500,000 times.
  • Between November 2017 and January
    2018, researchers
    with Malwarebytes Labs reported
    on a drive-by cryptojacking
    campaign that affected millions of Android mobile browsers to mine

Cryptojacking Spam Campaigns

FireEye iSIGHT Intelligence has observed several cryptocurrency
miners distributed via spam campaigns, which is a commonly used tactic
to indiscriminately distribute malware. We expect malicious actors
will continue to use this method to disseminate cryptojacking code as
for long as cryptocurrency mining remains profitable.

In late November 2017, FireEye researchers identified a spam
campaign delivering a malicious PDF attachment designed to appear as a
legitimate invoice from the largest port and container service in New
Zealand: Lyttelton Port of Chistchurch (Figure 9). Once opened, the
PDF would launch a PowerShell script that downloaded a Monero miner
from a remote host. The malicious miner connected to the pools and

Figure 9: Sample lure attachment (PDF)
that downloads malicious cryptocurrency miner

Additionally, a massive cryptojacking spam campaign was discovered
by FireEye researchers during January 2018 that was designed to look
like legitimate financial services-related emails. The spam email
directed victims to an infection link that ultimately dropped a
malicious ZIP file onto the victim’s machine. Contained within the ZIP
file was a cryptocurrency miner utility (MD5:
80b8a2d705d5b21718a6e6efe531d493) configured to mine Monero and
connect to the pool. While each of the spam email lures
and associated ZIP filenames were different, the same cryptocurrency
miner sample was dropped across all observed instances (Table 2).

ZIP Filenames













Table 2: Sampling of observed ZIP filenames
delivering cryptocurrency miner

Cryptojacking Worms

Following the WannaCry attacks, actors began to increasingly
incorporate self-propagating functionality within their malware. Some
of the observed self-spreading techniques have included copying to
removable drives, brute forcing SSH logins, and leveraging the leaked
NSA exploit EternalBlue.
Cryptocurrency mining operations significantly benefit from this
functionality since wider distribution of the malware multiplies the
amount of CPU resources available to them for mining. Consequently, we
expect that additional actors will continue to develop this capability.

The following are some real-world examples of cryptojacking worms:

  • In May 2017, Proofpoint
    a large campaign distributing mining malware
    “Adylkuzz.” This cryptocurrency miner was observed
    leveraging the EternalBlue exploit to rapidly spread itself over
    corporate LANs and wireless networks. This activity included the use
    of the DoublePulsar backdoor to download Adylkuzz. Adylkuzz
    infections create botnets of Windows computers that focus on mining
  • Security researchers with Sensors
    a Monero miner worm, dubbed “Rarogminer,”
    in April 2018 that would copy itself to removable drives each time a
    user inserted a flash drive or external HDD.
  • In January
    2018, researchers
    at F5
    discovered a new Monero cryptomining botnet that targets
    Linux machines. PyCryptoMiner is based on Python script and spreads
    via the SSH protocol. The bot can also use Pastebin for its command
    and control (C2) infrastructure. The malware spreads by trying to
    guess the SSH login credentials of target Linux systems. Once that
    is achieved, the bot deploys a simple base64-encoded Python script
    that connects to the C2 server to download and execute more
    malicious Python code.

Detection Avoidance Methods

Another trend worth noting is the use of proxies to avoid detection.
The implementation of mining proxies presents an attractive option for
cyber criminals because it allows them to avoid developer and
commission fees of 30 percent or more. Avoiding the use of common
cryptojacking services such as Coinhive, Cryptloot, and Deepminer, and
instead hosting cryptojacking scripts on actor-controlled
infrastructure, can circumvent many of the common strategies taken to
block this activity via domain or file name blacklisting.

In March 2018, Bleeping
Computer reported
on the use of cryptojacking proxy servers and
determined that as the use of cryptojacking proxy services increases,
the effectiveness of ad blockers and browser extensions that rely on
blacklists decreases significantly.

Several mining proxy tools can be found on GitHub, such as the XMRig Proxy tool,
which greatly reduces the number of active pool connections, and the
Stratum Mining Proxy
, which uses Coinhive’s JavaScript mining
library to provide an alternative to using official Coinhive scripts
and infrastructure.

In addition to using proxies, actors may also establish their own
self-hosted miner apps, either on private servers or cloud-based
servers that supports Node.js. Although private servers may provide
some benefit over using a commercial mining service, they are still
subject to easy blacklisting and require more operational effort to
maintain. According to Sucuri
, cloud-based servers provide many benefits to actors
looking to host their own mining applications, including:

  • Available free or at
  • No maintenance, just upload the crypto-miner
  • Harder to block as blacklisting the host address could
    potentially impact access to legitimate services
  • Resilient
    to permanent takedown as new hosting accounts can more easily be
    created using disposable accounts

The combination of proxies and crypto-miners hosted on
actor-controlled cloud infrastructure presents a significant hurdle to
security professionals, as both make cryptojacking operations more
difficult to detect and take down.

Mining Victim Demographics

Based on data from FireEye detection technologies, the detection of
cryptocurrency miner malware has increased significantly since the
beginning of 2018 (Figure 10), with the most popular mining pools
being minergate and nanopool (Figure 11), and the most heavily
affected country being the U.S. (Figure 12). Consistent with other
, the education sector remains most affected, likely due
to more relaxed security controls across university networks and
students taking advantage of free electricity to mine cryptocurrencies
(Figure 13).

Figure 10: Cryptocurrency miner detection
activity per month

Figure 11: Commonly observed pools and
associated ports

Figure 12: Top 10 affected countries

Figure 13: Top five affected industries

Figure 14: Top affected industries by country

Mitigation Techniques

Unencrypted Stratum Sessions

According to security researchers at Cato Networks, in order for a
miner to participate in pool mining, the infected machine will have to
run native or JavaScript-based code that uses the Stratum protocol
over TCP or HTTP/S. The Stratum protocol uses a publish/subscribe
architecture where clients will send subscription requests to join a
pool and servers will send messages (publish) to its subscribed
clients. These messages are simple, readable, JSON-RPC messages.
Subscription requests will include the following entities: id, method,
and params (Figure 15). A deep packet inspection (DPI) engine can be
configured to look for these parameters in order to block Stratum over
unencrypted TCP.

Figure 15: Stratum subscription request parameters

Encrypted Stratum Sessions

In the case of JavaScript-based miners running Stratum over HTTPS,
detection is more difficult for DPI engines that do not decrypt TLS
traffic. To mitigate encrypted mining traffic on a network,
organizations may blacklist the IP addresses and domains of popular
mining pools. However, the downside to this is identifying and
updating the blacklist, as locating a reliable and continually updated
list of popular mining pools can prove difficult and time consuming.

Browser-Based Sessions

Identifying and detecting websites that have embedded coin mining
code can be difficult since not all coin mining scripts are authorized
by website publishers (as in the case of a compromised website).
Further, in cases where coin mining scripts were authorized by a
website owner, they are not always clearly communicated to site visitors.

As defenses evolve to prevent unauthorized coin mining activities,
so will the techniques used by actors; however, blocking some of the
most common indicators that we have observed to date may be effective
in combatting a significant amount of the CPU-draining mining
activities that customers have reported. Generic detection strategies
for browser-based cryptocurrency mining include:

  • Blocking domains known to
    have hosted coin mining scripts
  • Blocking websites of known
    mining project websites, such as Coinhive
  • Blocking scripts
  • Using an ad-blocker or coin mining-specific
    browser add-ons
  • Detecting commonly used naming
  • Alerting and blocking traffic destined for known
    popular mining pools

Some of these detection strategies may also be of use in blocking
some mining functionality included in existing financial malware as
well as mining-specific malware families.

It is important to note that JavaScript used in browser-based
cryptojacking activity cannot access files on disk. However, if a host
has inadvertently navigated to a website hosting mining scripts, we
recommend purging cache and other browser data.


In underground communities and marketplaces there has been
significant interest in cryptojacking operations, and numerous
campaigns have been observed and reported by security researchers.
These developments demonstrate the continued upward trend of threat
actors conducting cryptocurrency mining operations, which we expect to
see a continued focus on throughout 2018. Notably, malicious
cryptocurrency mining may be seen as preferable due to the perception
that it does not attract as much attention from law enforcement as
compared to other forms of fraud or theft. Further, victims may not
realize their computer is infected beyond a slowdown in system performance.

Due to its inherent privacy-focused features and CPU-mining
profitability, Monero has become one of the most attractive
cryptocurrency options for cyber criminals. We believe that it will
continue to be threat actors’ primary cryptocurrency of choice, so
long as the Monero blockchain maintains privacy-focused standards and
is ASIC-resistant. If in the future the Monero protocol ever
downgrades its security and privacy-focused features, then we assess
with high confidence that threat actors will move to use another
privacy-focused coin as an alternative.

Because of the anonymity associated with the Monero cryptocurrency
and electronic wallets, as well as the availability of numerous
cryptocurrency exchanges and tumblers, attribution of malicious
cryptocurrency mining is very challenging for authorities, and
malicious actors behind such operations typically remain unidentified.
Threat actors will undoubtedly continue to demonstrate high interest
in malicious cryptomining so long as it remains profitable and
relatively low risk.

*** This is a Security Bloggers Network syndicated blog from Threat Research authored by Threat Research Blog. Read the original post at: