Cryptocurrency malware

Bitcoin Popularity Gives Rise to Cryptocurrency-Themed Malware

Amidst the surge of Bitcoin’s popularity, other cryptocurrencies have also risen along with it.

As of December 4, 2017, Bitcoin is worth near $11,000. Other cryptocurrencies have also increased their value. For example, Monero cryptocurrency is now worth $201. Bitcoin was introduced in 2009 and Monero in 2014.

Contrary to popular perception, Bitcoin transactions aren’t anonymous. All Bitcoin transactions are public records and can be tracked. Monero, meanwhile, markets itself as an anonymous cryptocurrency, claiming that a single Monero coin can’t have its entire transaction history revealed.

Both Bitcoin and Monero are cryptocurrencies that need to be mined. Cryptocurrency mining is defined as the process by which transactions are verified. It’s also a means by which a cryptocurrency or digital coin is released. For their effort and use of hardware, miners are given a small share of the cryptocurrency.

In the past, anyone with a PC could mine Bitcoin. Nowadays, only those who own computers with huge computing power can mine Bitcoin. Monero, on the other hand, can be mined by just anybody with just the use ordinary desktops, laptops and even smartphones.

Cryptocurrency-Themed Malware

Candid Wuest, security researcher at Symantec, told the BBC that malicious software (malware) connected with cryptocurrency increases “tenfold”. “There’s been a huge spike,” said Wuest, adding that this surge had been caused by the rapid rise in Bitcoin’s value.

Malwarebytes’ security researcher Jerome Segura, meanwhile, told the BBC that Malwarebytes blocked nearly 250 million attempts to place cryptocurrency malware on to PCs.

Adylkuzz Cryptocurrency Malware

Adylkuzz is a malware that installs the code used to mine the cryptocurrency Monero without the knowledge and consent of the computer owner.

The Monero mining code is maliciously installed by Adylkuzz into a computer by exploiting a Windows operating system vulnerability called “EternalBlue”. The ransomware WannaCry also exploited the same vulnerability in Windows operating system. Unlike WannaCry which can self-propagate on its own to infect others, Adylkuzz has no self-propagation capacity.

Monero mining – courtesy by Adylkuzz malware – operates in the background and users of compromised computers are unlikely to notice this unauthorized activity.

Cryptojacking

Cryptojacking refers to the malicious installation of crypto mining software in a website without the knowledge and consent of the owner as well as lack of knowledge and consent of website visitors.

Coinhive is a software that enables cryptocurrency miners to install Monero cryptocurrency mining code on a website using JavaScript. Coinhive operates on the premise that cryptocurrency mining can be a means for website owners to earn revenue, in lieu of advertising.

Once CoinHive is installed in a website, the CPU power of every site visitor is used for cryptocurrency mining. CoinHive requires a unique ID to which the crypto mining income is delivered. The more computers are compromised for crypto mining, the more Monero coins the attackers get. Earned Monero coins can easily be converted to Bitcoins by selling it to a number of trading exchanges that also allow anonymity.

There’s nothing wrong with utilizing cryptocurrency mining instead of the traditional advertising in websites. What’s unacceptable is when cryptocurrency mining code is installed without the authorization of the site owner as well as without the authorization of site visitors.

Early this month, one security researcher found Coinhive mining code on 2,496 online stores. It’s presumed that the installation of this crypto mining code on these online stores were done maliciously as these store owners are less likely to earn few extra money through crypto mining.

The researcher found that 85% of the 2,496 compromised stores are linked to only 2 CoinHive accounts, while the remaining 15% of the infected stores are linked to several unique CoinHive accounts.

In September of this year, Showtime websites – showtime.com and showtimeanytime.com – were found to be running Coinhive mining code. Following public exposure, the code has since been removed.

Malwarebytes’ security researcher Segura, meanwhile, discovered a technique that allows attackers to use the CPU power of every site visitor for cryptocurrency mining even if the visitor closes his or her browser.

Malwarebytes tested this discovery using the latest version of Google Chrome browser. The researchers at Malwarebytes observed the following process:

  1. Once a user visits a compromised website, the crypto mining code is then silently loaded.
  2. CPU power of the site visitor is used for cryptocurrency mining activity.
  3. Even when the user leaves the site and closes the Chrome browser, the CPU activity of the user still remains higher than normal as crypto mining continues.

Attackers fool users into believing that the browser is closed by hiding the browser under the taskbar’s clock. Resizing the taskbar will reveal this still operational browser. Below is the screencap of the hidden browser.

Hidden browser window

Image by Malwarebytes

“Nearly two months since Coinhive’s inception, browser-based cryptomining remains highly popular, but for all the wrong reasons,” Malwarebytes said. “Forced mining (no opt-in) is a bad practice, and any tricks like the one detailed in this blog are only going to erode any confidence some might have had in mining as an ad replacement.”

Coinhive, in a statement, said, “We’re a bit saddened to see that some of our customers integrate Coinhive into their pages without disclosing to their users what’s going on, let alone asking for their permission.”

How to Prevent Cryptocurrency Mining Attacks

Cryptocurrency mining is perfect for computers specifically meant for this purpose. Mining cryptocurrency, however, on desktop, laptops or smartphones on top of everyday usage has negative effects.

Crypto mining involves enormous calculations that ordinary computers aren’t meant to do. On smartphones, crypto mining can quickly deplete batteries. And across computing devices used for ordinary usage, crypto mining can decrease speed, efficiency and even damage the hardware.

Here are some tips on how to prevent cryptocurrency mining attacks:

Keep your Windows operating system up-to-date, to block, in particular, Adylkuzz malware as Microsoft already patched the vulnerability exploited by this malware.

To ensure that your browser stays close even after clicking the “x” button, run Task Manager and terminate running browser.