Cryptocurrency and its role in malware
Introduction
As technology develops, all technology-related aspects also develop. Malicious techniques are always the fastest to adjust to new technologies and in fact, they have already jumped in the bandwagon of exploiting cryptocurrency.
In general, in a cryptocurrency network, the amount of available coins is fixed. In global terms, there is always the same amount of coins and their value is established according to the principle of supply and demand.
It has been stated that the goal behind the creation of these new currencies is to decentralize economic transactions, that is, to achieve a model where such transactions do not have to pass through a third party (a banking or other institution) but only need to be validated by other network nodes.
Bitcoin, Ethereum, Monero, Litecoin are the most widely known cryptocurrencies. All these share the same concept, but their differences made them more or less attractive.
Monero, the malware developers preferred cryptocurrency
Monero is a cryptocurrency whose priority is privacy, and, to achieve this goal, its network nodes ignore who are the users that take part in a transaction and the amount of cryptocoins being transferred. It also advocates a more egalitarian mining.
The anonymous nature of transactions with this cryptocurrency is achieved by means of implementing a variant of the CryptoNote encryption protocol, the CryptoNight PoW hash function. Both implement ring signature functions that allow burying the issuer’s identity in data corresponding to other transactions; the receiver’s identity in stealth addresses from other transactions; and the transferred amount in the confidential transactions enabled by the ring. Therefore, the issuer, the receiver and the amount are buried among other addresses, hindering all tracking efforts for all elements of the transaction. Only the issuer and the receiver know their identities and the amount transferred.
The features of these functions obfuscate blockchain. The anonymous nature of Monero makes it a fungible or exchangeable currency, where any sum may be replaced by another sum of the same value. This prevents portfolio blacklisting.
Another feature of this cryptocurrency is that it was designed to hinder calculations of cryptocoin mining application-specific integrated circuits (ASIC). Therefore, Monero mining is more egalitarian for conventional processors and graphics cards.
These characteristics have made Monero one of the most used currencies by malware developers, since it allows for anonymity and mining is designed to be carried out in the most common devices, such as computers, laptops, servers, smartphones and tablets.
Mining costs
To make it simple, creating new coins (the process known as mining) consists in calculating the number of hashes used to be added to the blockchain.
Not all generated hashes are valid: they must be built in a certain manner. For example, for Bitcoin, they must end in a certain number of zeroes. This makes finding a valid hash a complex process, increasingly complex over time, in fact, since the entry parameters become even larger and this means longer calculation times for the hash function and less possibilities of finding a valid hash to be added to the blockchain.
Therefore, mining costs become increasingly high both in terms of high-end devices and of energy costs.
For example, a domestic computer with a medium-range processor and graphic card with a maximum consumption of 400W/h including all internal and external components (screen, peripheral devices, computer, loudspeakers) used for round-the-clock mining at a rate of 0.13€ KW/hour has a monthly cost of 18.20 and an annual cost of 221€. This does not include the cost of the computer devices themselves and the wear and tear associated to the process, which keeps the devices under constant high level of stress.
When an attacker executes the mining code in hardware which are not their own, they obtain a direct benefit, since they do not need to invest in hardware or maintenance or pay for the power used.
Real Cases
Currently, we are detecting more and more cases of malware which use cryptocurrency to obtain direct benefits, although there are still cases where cryptocoins are simply used as payment in a case of extortion.
Cryptojacking
This mining method is becoming increasingly popular. It consists in a mining JavaScript injected in a webpage so that when a user accesses it from their browser, the JavaScript uses their hardware resources for cryptocurrency mining without their consent.
A rather well-known case is the Browsealoud plugin, which has affected even governmental pages. This plugin was used to make webpages more accessible for visually challenged persons (such as those suffering from colour-blindness or dyslexia). In the cases detected, Browsealoud's source code Monero's mining script Coinhive.
Other pages open a new browser window which is set by the mining script to be hidden behind the clock of the device's taskbar, so that the script is still executed -and continues mining surreptitiously- even when the user thinks that they have closed the page or the browser.
Attacks to critical infrastructures.
Also Industrial Control Systems (ICS) have been affected by this new wave of malware designed for cryptocurrency mining. Radiflow, a security company, detected that a water purification plant systems had been compromised in such a way that the industrial control system used, SCADA, devoted its processing resources for cryptocurrency mining. This could be detected thanks to external HTTP requests used by the script.
Monero as a payment currency
Monero is also being used as payment currency in ransomware cases. The creators of Kirk, a Star Trek-themed ransomware, require the ransom to be paid in Monero. The change of cryptocurrency with respect to the more traditional payment in bitcoins is explained by the fact that Monero allows attackers to make anonymous transfers.
Old acquaintances that have adapted to the new changes. WannaMine
So you thought you would not near from WannaCry anymore? Wrong. Recently, a variant called WannaMine has been detected. This exploits the same vulnerability than its twin, the exploit EternalBlue. Although the procedure is the same, the purpose is different. Rather than extorting the victim by encrypting their data and asking for a ransom, his variant quietly installs a malware that devotes the relevant device's resources to cryptocurrency mining. Thus, the victim unknowingly becomes part of the botnet and infects related devices. Currently more than 500,000 devices are affected by this malware.
[Actualización 20/07/2023]
The malware campaigns that are being shown these days only rely on the developer's imagination of the developer to look for a new method to mine cryptocurrencies without the owner of the hardware resources being aware of it.
Protective measures
To protect against mining malware , the following specific measures can be taken.
- Strict access and permission control: Rigorous access control and user privilege management policies help prevent the unauthorized installation or execution of malicious software, including mining software. This involves limiting users' rights to install unapproved browser extensions and maintaining constant control of settings to prevent unauthorized modifications.
- Monitor the activity of our systems: when detecting if our systems are affected, it is crucial to have a historical record of resource consumption that reflects all the activity of our systems. This makes it easier to identify unexpected or unusual spikes in activity that may indicate malicious activity, as mining processes consume a lot of resources, such as CPU or memory usage. In addition, all this necessary power will cause energy consumption to be affected, being another of the possible indicators that help us detect malicious activity.
- Investigate suspicious processes: Once suspicious activity has been identified, it is critical to investigate and determine the processes causing it to determine if they have a malicious origin. To do this, you must check the process explorer of our operating system or our browser. Once bounded, they can be properly disposed of.
- Use safe browsing software: There are specific anti-malware solutions, such as CryptoMining Blocker or MinerBlock, designed to detect and neutralize these specific threats, which usually include suspicious URL blocking functions, as well as detecting and neutralizing anomalous behavior in browsers. Some desktop solutions also feature machine learning capabilities to detect new malware variants that have not yet been catalogued.
Conclusions
The growing popularity of cryptocurrencies and their diversification into new emerging forms, such as Non-Fungible Tokens (NFT), has brought new lucrative and business opportunities, both for legitimate users and malicious actors. However, this boom is not without risks, with mining malware being one of the most prominent.
Therefore, it is crucial to remain vigilant and adopt relevant security measures to prevent such threats. These measures should include the use of up-to-date security solutions, continuous monitoring of resource usage, promotion of safe browsing practices, awareness to avoid social engineering attacks or any other malware entry vector, and the use of backups, in case it is ultimately necessary to restore the system to a safe state.
