The recent discovery of the Loapi mining Trojan – a multi-faceted piece of malware with potentially device-killing consequences for users of Android hardware – has thrown the spotlight onto an emerging trend in malicious software design. This involves the engineering of malware code aimed at co-opting the system resources of a victim’s hardware, for the purpose of mining cryptocurrencies.
This process has been dubbed “cryptojacking”, and its methodology and implications for cyber-security will form the basis of discussion for this article.
Cryptojacking – Incentives for Bad Behavior
Frenetic activity continues in the cryptocurrency sector, with recent dramatic hikes and plunges in the value of Bitcoin and other denominations hitting the mainstream news. With such wild fluctuations and the relative immaturity of the market, there’s plenty of money to be made – and not only by the investors.
Cryptocurrencies are generated through the digital process of mining, whereby users participating in a mining scheme dedicate a proportion of their system’s processing and computing power to the solution of complex mathematical problems, in anticipation of the award of cryptocurrency credits for a successful calculation.
Many cryptocurrency miners across the globe submit to this process willingly, as a potential revenue stream for themselves. But cyber-criminals have also warmed to the idea, and to the notion of tricking unsuspecting computer owners into contributing their system resources to the mining effort unwittingly.
It’s been estimated that 220 of the top 1,000 websites in the world are conducting cryptojacking operations, making a total of $43,000 over a three week period. Though some of them are doing it with the consent of their site visitors, the majority of cryptojackers are working under the veil of secrecy.
It’s a cheaper and lower-risk strategy than ransomware distribution – and offers the potential for far greater financial rewards, over a sustained period. And there’s an entire ecosystem emerging to assist these perpetrators in their cryptojacking efforts.
Mining activity for Bitcoin (the most high-profile of the cryptocurrencies) is a complex process requiring specialized hardware and a huge amount of energy. It’s been estimated that each Bitcoin mining transaction consumes enough energy to boil around 36,000 kettles filled with water – and that in a single year, the global Bitcoin mining operation consumes more energy than the Republic of Ireland.
Lacking such huge resources, “citizen” cryptocurrency miners, therefore, turn to less intensive alternatives, such as Monero, which requires no specialized computing equipment.
Torrenting website The Pirate Bay almost immediately snapped it up, pitching the donation of some processor time to their users as an alternative to in-page advertising. And Coinhive clones of various stripes have been emerging, ever since.
Many developers of these mining programs are touting them as an alternative revenue stream for websites, and some sites have already adopted a “mining with consent” policy in fund-raising for charitable causes such as disaster relief. Coinhive has introduced a new version of its product, known as AuthedMine, which requires authorization/consent from users before their systems can be co-opted for Monero mining.
But with the vast majority of cryptocurrency mining software offering no opt-in or opt-out choices to the user – and with the programs typically running discreetly beneath the surface – unsuspecting web surfers are still very much victims of the cryptojacking phenomenon.
No Need to Install
Hackers have already been successful in introducing cryptojacking scripts onto the Showtime and PolitiFact websites, and on eCommerce platforms. A Starbucks Wi-Fi hotspot in Buenos Aires, Argentina was hijacked in December 2017 by enterprising hackers who tapped into the system resources of fellow coffee-drinkers to boost their mining efforts.
And in January of this year, cryptojacking code was discovered in Archive Poster, a Chrome browser extension designed to facilitate user interactions with Tumblr posts stored in archives. The extension has since been withdrawn, but given their relative ease of construction, we can expect to see more variants on the Monero-mining code popping up (or rather, hiding in the shadows), in future.
There’s been less of an uproar over the cryptojacking trend than for some malware phenomena such as ransomware, as the in-browser code now doing the rounds is often subtle (creating little discernible impact on a victim’s system performance), and not actively doing damage to information or files.
However, this isn’t to suggest that cryptojacking has zero consequences. Besides the deceit and privacy violation of software that runs without a user’s knowledge or consent, there can be discernible effects on enterprise networks affected by the software, and for victims of cryptojacking using mobile devices.
For the enterprise, the stolen CPU cycles of a massive cryptojacking exercise could slow down network operations and have a negative impact on business continuity and overall system availability. Time, money, and effort devoted to IT troubleshooting and help desk activities in tracing the root of the problem and replacing network components or complete systems might also take a serious toll.
Individual computer or mobile device owners will typically notice a slowing down of their systems if affected by a cryptojacking attack. If the assault continues for any length of time, the increased load on their processor may lead to rising device or system temperatures, and thermal stresses on their batteries. In extreme cases (such as with the Loapi mining Trojan), the rise in battery temperature may be sufficiently high to kill off a smartphone or tablet, entirely.
When you bear in mind that many perpetrators rely on a combination of in-browser cryptojacking scripts and targeted malware for their operations, the risk to mobile hardware remains a viable one.
Counter-Measures and Protection
As cryptocurrency mining code is being developed with an eye to thwarting signature-based methods of detection, standard anti-virus and endpoint protection tools are not a reliable defense against cryptojacking.
Far more effective is the creation of a safer browsing environment, through the installation and proper configuration of ad-blocking and anti-cryptomining extensions. Web filtering tools should also be regularly updated to reflect the discovery of websites and pages that deliver cryptojacking scripts.
A mobile device management (MDM) system can facilitate the enterprise-wide enforcement of whitelisted sites and applications, and remains the best option for organizations which maintain a Bring Your Own Device (BYOD) policy.
As far as security awareness training goes, efforts should focus on educating users to identify and avoid social engineering and phishing strategies which aim at steering victims to sites operating cryptojacking scripts, or facilitating the infection of user devices with cryptocurrency mining malware.
Share this Post