According to webopedia.com, “Cryptomining malware, or  cryptocurrency mining malware or simply cryptojacking, is a relatively new term that refers to software programs and malware components developed to take over a computer's resources and use them for cryptocurrency mining without a user's explicit permission. Cyber criminals have increasingly turned to cryptomining malware as a way to harness the processing power of large numbers of computers, smartphones and other electronic devices to help them generate revenue from cryptocurrency mining. A single cryptocurrency mining botnet  can net cyber criminals more than $30,000 per month, according to a recent report from cybersecurity company Kaspersky Labs”. 

“And unauthorized mining activity from cryptomining malware has become so prevalent that ad blocking firm AdGuard estimates more than 500 million users are mining cryptocurrencies on their devices without realizing it. These users either get infected by a cryptomining malware program or visit websites that stealthily run cryptomining software in the background without the user's consent”.

According to McAfee, the Santa Clara, California-based cybersecurity company, coin mining malware increased 4,000%. In the fourth quarter of  2017 there was 500,000 new coin miner malware and by the end of the third quarter of this year, it jumped to 4 million. “Mining cryptocurrency via malware is one of the big stories of 2018,” McAfee said in its McAfee Labs Threats Report.

Cryptocurrency Mining

Cryptocurrency is a form of digital money designed to be secure and anonymous in most cases. It uses cryptography to convert legible information into an almost uncrackable code, to help track purchase and transfers.

Cryptocurrency runs on a blockchain. Every single transaction made and the ownership of every single cryptocurrency in circulation is recorded in the blockchain. The blockchain is run by miners, who use powerful computers that tally the transactions. Their function is to update each time a transaction is made and also ensure the authenticity of information, thereby ascertaining that each transaction is secure and is processed properly and safely.

Cryptocurrency mining includes two functions, namely: adding transactions to the blockchain (securing and verifying) and also releasing new currency. Individual blocks added by miners should contain a proof-of-work, or PoW.

Mining needs a computer and a special program, which helps miners compete with their peers in solving complicated mathematical problems. This would need huge computer resources. In regular intervals, miners would attempt to solve a block having the transaction data using cryptographic hash functions.

TXHunter Detects Cryptocurrency Mining Malware 

TXHunter detects Cryptocurrency Mining Malware based on its behavior, detecting its cryptography algorithm, hash creation and transferring, memory and CPU usage, as well as network activities and traffic contents. Detail description is inlcuded in the white paper.

For example, Watchbog is a malware trojan variant used to infect Linux servers, resulting in a cryptomining botnet. When it runs, it pretended to be a service program, watchdog, noticing “bog” not “dog”, trying to fool user. When there is no watchbog running, it will download watchbog to start mining process. TXHunter detects Watchbog mining malware by detecting its cryptonight algorithm, 100% CPU usage, and network activities.

Another example, TXHunter detects Sysupdate mining malware by detecting its cryptonight algorithm and network activities.  It uses update.sh to start fake system services, SysUpdate and networkservice. It constantly sends large amount of SYN_SENT to scan networks. The following reports show TXHunter’s detection. This cryptocurrency mining malware has a guard process along with the mining malware main process, called sysguard.

References 

  1. Forrest Stroud, Cryptomining Malware, https://www.webopedia.com/TERM/C/cryptomining-malware.html
  2. https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-dec-2018.pdf
  3. https://m.benzinga.com/article/9953629
  4. https://www.cyber.nj.gov/threat-profiles/cryptocurrency-mining-malware-variants/watchbog
  5. https://security.stackexchange.com/questions/201263/a-process-called-watchbog-is-mining-crypto-currency-in-our-server-how-do-i-st
  6. https://www.trendmicro.com/vinfo/ph/security/news/cybercrime-and-digital-threats/watchbog-exploits-jira-and-exim-vulnerabilities-to-infect-linux-servers-with-cryptocurrency-miner