Mining malware in 2018: growth, Macs, the NSA and amateur cryptojackers
2017 was a big year for cryptojacking. It increased by 8,500 percent, according to figures published by Symantec in March. And it would seem that 2018 has so far been an even bigger year for mining malware, as the Cyber Threat Alliance September report revealed that, beginning on Jan. 1, cryptojacking still had room to increase by a further 500 percent.
However, beneath this simple outline of growth, there is a bigger, more complicated picture. Despite reports from some quarters showing that mining malware detections increased in the first two quarters of 2018, other reports suggest that they have in fact decreased.
And while the overall growth in mining malware since last year has been attributed to the volatility of cryptocurrency prices and the existence of software bugs, other factors have played a significant role, such as the involvement of amateur cryptojackers and the cost of mining legitimately.
If there's one dominant trend this year in the underworld of cryptojacking, it's that most mining malware focuses on Monero. Indeed, Palo Alto Networks revealed in July that Monero accounts for 84.5 percent of all detected malware, compared to 8 percent for Bitcoin and 7 percent for other coins.
The reason for this is simple: Monero (XMR) is not only a privacy coin, but also the most valuable privacy coin by market cap — and 10th overall. Using the Cryptonight proof-of-work (PoW) algorithm, it mixes the user's inputs with those of other users, and it also uses "ring confidential transactions" that obscure the amount of XMR being transferred. It's therefore ideal for cybercriminals.
Monero was already the most popular coin for cryptojackers in 2017, but a number of new developments have emerged in 2018 to distinguish this year from its predecessor. Most notably, cryptojacking is increasingly becoming the province of amateur 'hackers,' who are lured into the illicit activity by the cheap availability of mining malware and by obvious financial rewards. According to Russian cybersecurity firm Group-IB, the dark web is "flooded with cheap mining software," which can often be purchased for as little as $0.50.
Such software has become abundant this year: In 2017, Group-IB encountered 99 announcements regarding for-sale cryptojacking software on underground forums, while in 2018 it counted 477, signalling an increase of 381.8 percent. As the firm notes in its report:
"Low entry barrier to the illegal mining market results in a situation where cryptocurrency is being mined by people without technical expertise or experience with fraudulent schemes."
In other words, cryptojacking has become a kind of hobbyist crime, popular among thousands of amateur hackers. This would perhaps account for why there has been a marked increase in detections this year, with Kaspersky Labs informing Cointelegraph that the number of PC cryptojacking victims increased from 1.9 million in 2016/17 to 2.7 million in 2017/18. Evgeny Lopatin — a malware analyst at Kaspersky Lab – shared:
“The mining model […] is easier to activate and more stable [than other attack vectors]. Attack your victims, discreetly build cryptocurrency using their CPU or GPU power and then transfer that into real money through legal exchanges and transactions.”
Of course, whenever “detections” are mentioned, the possibility arises that any increase is largely the result of an improvement in detection measures. “However, this is not the main driver here, as we see actual growth,” says Lopatin.
“Our analysis shows that more and more criminals increasingly use crypto miners for malicious purposes across the world.”
McAfee noted in a report from April that the vast majority of its detections were of CoinMiner, a piece of malware that surreptitiously inserts code taken from the CoinHive XMR mining algorithm into the victim's computer. This occurs when the victim downloads an infected file from the web, but what's new in 2018 is that such a vulnerability now affects Apple Macs as well, which had previously been regarded as much more secure than its Windows rivals.
This development was noted by United States security firm Malwarebytes, which in a May blog post reported on the discovery of a new malicious crypto miner that harnesses the legit XMRig miner. Thomas Reed, the director of Mac and mobile at the company, wrote:
"Often, Mac malware is installed by things like fake Adobe Flash Player installers, downloads from piracy sites, [and] decoy documents users are tricked into opening."
In fact, this wasn't the first piece of Mac mining malware it had discovered, with Reed stating that it "follows other cryptominers for macOS, such as Pwnet, CpuMeaner and CreativeUpdate."
However, while cryptojacking has become more of an amateur-driven phenomenon, it still remains the case that many of this year’s exploits can be traced to more 'elite' sources. Cybersecurity firm Proofpoint reported at the end of January that Smominru, a cryptojacking botnet, had spread to over half a million computers — largely thanks to the National Security Agency, which had discovered a Windows bug that was then leaked online.
This vulnerability is better known as EternalBlue, which most famously was responsible for the WannaCry ransomware attack/incident of May 2017. And according to Cyber Threat Alliance (CTA), it's another big factor in this year's 459 percent increase in cryptojacking.
Worryingly, the CTA's report suggests that cryptojacking is only likely to increase as it becomes more successful and profitable:
"[Cryptojacking's] influx of money could be used for future, more sophisticated operations by threat actor groups. For instance, several large-scale cryptocurrency mining botnets (Smominru, Jenkins Miner, Adylkuzz) have made millions of dollars."
And things are already bad enough in the present, with the CTA writing that infection by mining malware comes with steep costs for victims.
"Taken in aggregate, when criminals install cryptocurrency miners in large enterprise networks, the costs in excess energy usage, degraded operations, downtime, repairs of machines with physical damage and mitigation of the malware in systems incurred by the victims far outweigh the relatively small amount of cryptocurrency the attackers typically earn on a single network."
The mention of costs is significant when it comes to cryptojacking, not just for (potential) victims, but also for perpetrators. That's because cryptojacking is essentially the theft of electricity and CPU, which implies that it will continue being prevalent not only for as long as Monero and other coins remain valuable, but also for as long as it remains expensive to mine XMR and other cryptos.
According to CryptoCompare's profitability calculator for Monero, an individual U.S.-based miner using a graphics card capable of a 600 H/s hash rate (e.g., the Nvidia GTX 1080) and using 100W of power (a very conservative estimate) will make only $0.8033 in profit every month. This, clearly, isn't especially promising, which is a large part of the reason why so many amateurs have turned to cryptojacking, since mining XMR while paying for your own electricity just isn't fruitful when you're not a big mining company.
There are, however, recent signs that Monero mining has become more profitable, even for the smaller miner. This came after its hard fork on April 6, which changed its PoW protocol so as to make it incompatible with ASIC miners, which tend to dominate mining (particularly in the case of Bitcoin).
As soon as this hard fork was completed, reports came from the Monero subreddit that profitability had increased by 300 percent or even 500 percent, although this boost was soon lost in the following weeks, according to BitInfoCharts.
Likewise, Monero itself has been cautious with regard to promising that it can resist ASIC mining equipment forever. "Thus, it is recognized that ASICs may be an inevitable development for any proof-of-work [cryptocurrency]," wrote developers dEBRYUNE and dnaleor in a February blog. "We also concede that ASICs may be inevitable, but we feel that any transition to an ASIC-dominated network needs to be as egalitarian as possible in order to foster decentralization."
Assuming that it has become more profitable to mine XMR legitimately, this would account for a flattening in cryptojacking growth that has been observed by some cybersecurity firms. In its Q2 2018 report, Malwarebytes revealed that mining malware detections dropped from a peak of 5 million at the beginning of March, to a low of 1.5 million at the beginning of June. This decline may contradict what other analysts have reported this year, but given that Malwarebytes' research is the most recent in terms of the dates covered, it's arguably the most authoritative.
It's not clear whether this decline is the result of an increase in profitability for legit Monero miners, of business and individuals wising up to the threat of cryptojacking, or of a general decline in the value of cryptocurrencies. Regardless, Malwarebytes predict that "Cryptocurrency miners will be going out of style" as a cybersecurity threat. "Of course, we are still going to see plenty of miners being distributed and detected," its report concludes. "However, it looks like we are at the tail end of the ‘craze.'"