XMRig: Cryptomining Malware that Works Even Without Web Browser
The cryptocurrency market may have lost nearly 70% of its market cap from the all-time high of $835 billion in December 2017, but this hasn’t stopped malicious individuals from getting ready for the next cryptocurrency bullrun by spreading cryptocurrency mining malware into the wild.
In the past few months, Coinhive, a cryptocurrency malware that works on web browsers, has wrecked havoc on victims’ computers. But another cryptocurrency malware called “XMRig” is starting to make ripples, entering Check Point’s March 2018 top ten most wanted malware index in the 8thplace for the first time after a 70% increase in global impact.
Coinhive, ranked number one in Check Point’s March 2018 top ten most wanted malware, is a malware that utilizes scripts in taking over some of the processing power on the computers of website visitors without their permission to mine the cryptocurrency Monero.
Cryptocurrency mining is a process of verifying a transaction and a means by which a new coin is released. In order for the transactions to be verified and coins to be released, computational powers of computers are used.
In an ideal world, owners of computers used for cryptocurrency mining should give their consent and should be compensated. Malicious actors bypass this consent aspect and reap all the financial gains for themselves.
What is XMRig?
The original XMRig is an open source code used to mine the cryptocurrency Monero on computers using Windows operating system. The XMRig open source code is in itself not malicious. There are currently 3 software available to mine Monero but XMRig it seems is a choice among malicious actors.
There’s a demand for Monero as this cryptocurrency boasts of easier mining and untraceable transactions. As of April 20, 2018 (10:30 am GMT+7) one Monero coin is worth $245.
Malicious actors, however, use the XMRig code to conduct illicit mining of Monero cryptocurrency by hijacking the computational power of the infected computers.
XMRig, used as a cryptocurrency malware, was first seen in the wild in May 2017. As of January 2018, Palo Alto Networks estimated that XMRig victimized nearly 15 million people worldwide. The actual number of victims, Palo Alto Networks said, could be much higher.
In September 2017, security researchers Peter Kálnai and Michal Poslušný reported that crooks made over $63,000 worth of Monero by modifying legitimate open source Monero mining software XMRig.
According to Kálnai and Poslušný, the malicious actors didn’t apply any changes to the XMRig codebase apart from adding a new wallet address, new mining pool URL and commands to “kill all previously running instances of itself so as not to compete with its new instance” – a process that takes more than just a couple of minutes.
It’s not unusual for malicious actors to reuse codes. Attackers often don’t reinvent the wheel if they don’t have to.
Means of Propagation
Unlike CoinHive, the XMRig cryptocurrency malware doesn’t need a web browser in order to hijack the computational power of the infected computers to mine the cryptocurrency Monero.
Here are 2 methods used by malicious actors to hijack computational power of the infected computers to conduct illicit mining of Monero:
1. Exploiting Known Vulnerability in Microsoft IIS 6.0
According to Kálnai and Poslušný, one of the means by which malicious actors propagate XMRig malware is by exploiting CVE-2017-7269, a known vulnerability in Microsoft IIS 6.0 within Windows Server 2003. By exploiting the vulnerability in Microsoft IIS 6.0, an unauthenticated, remote attacker can execute arbitrary code.
The code to exploit this vulnerability is publicly available. Microsoft hasn’t confirmed this particular security vulnerability and neither has it issued a software update for this vulnerability. Technically though, Windows Server 2003 has reached the end of life (EOL) and as such Microsoft no longer issues software updates.
2. Malvertising Campaign
Adf.ly is an advertising service that pays users when their URLs are clicked. According to Palo Alto Networks, victims were presented with these Adfly advertising URLs, clicked on the provided link, were redirected and found themselves downloading the XMRig cryptocurrency malware onto their computers.
Server Operating System (OS) Attacks
Servers are particularly attractive to attackers as these machines have more computing power, run 24/7 and connect to reliable power source. The reality is that many organizations still use outdated server OS like Windows Server 2003. These outdated server OS are susceptible to repeated exploitation and infection like the XMRig cryptocurrency malware. Cryptocurrency malware like XMRig can result in the slow performance of the servers, shorten the lifespan of these machines and more electricity consumption.
“Cryptomining malware has been quite the success story for cybercriminals, and XMRig’s rise indicates that they are actively invested in modifying and improving their methods in order to stay ahead of the curve,” Maya Horowitz, Threat Intelligence Group Manager at Check Point, said in a statement. “Besides slowing down PCs and servers, cryptomining malware can spread laterally once inside the network, posing a major security threat to its victims. It is therefore critical that enterprises employ a multi-layered cybersecurity strategy that protects against both established malware families and brand new threats.”
How to Prevent XMRig Cryptocurrency Malware Attacks
Here are some of the ways to prevent XMRig cryptocurrency malware attacks:
1. Use Up-to-Date Software, Server OS
In the case of Windows Server 2003, as the vendor, Microsoft in this case, has stopped issuing security updates, attackers then have a free pass on attacking this system, for instance, attacking a known vulnerability in Microsoft IIS 6.0 within Windows Server 2003.
It’s therefore important to keep your organization’s OS server and all other software up-to-date.
2. Use Ad Blocker
Another way to prevent XMRig cryptocurrency malware is to use an ad blocker. With an ad blocker, you and your staff won’t anymore be susceptible to malvertising link that once clicked, redirects and downloads the XMRig cryptocurrency malware onto computers. An ad block blocks pop-ups, banners, video ads and other intrusive advertising, as well as malware.