Cybercriminals gave cryptocurrencies a bad name when ransomware started instructing victims to pay ransom in the form of digital currencies, most notably Bitcoin, the first and most popular of these currencies. It was not an unexpected move – digital currencies provide the anonymity that cybercriminals desire. The sharp increase in the value of digital currencies is a windfall for cybercriminals who have successfully extorted Bitcoins from ransomware victims.
These dynamics are driving cybercriminal activity related to cryptocurrencies and have led to an explosion of cryptocurrency miners (also called cryptominers or coin miners) in various forms. Mining is the process of running complex mathematical calculations necessary to maintain the blockchain ledger. This process rewards coins but requires significant computing resources.
Coin miners are not inherently malicious. Some individuals and organizations invest in hardware and electric power for legitimate coin mining operations. However, others are looking for alternative sources of computing power; as a result, some coin miners find their way into corporate networks. While not malicious, these coin miners are not wanted in enterprise environments because they eat up precious computing resources.
As expected, cybercriminals see an opportunity to make money and they customize coin miners for malicious intents. Crooks then run malware campaigns that distribute, install, and run the trojanized miners at the expense of other people’s computing resources. On March 6, Windows Defender Advanced Threat Protection (Windows Defender ATP) blocked a massive coin mining campaign from the operators of Dofoil (also known as Smoke Loader).
In enterprise environments, Windows Defender ATP provides the next-gen security features, behavioral analysis, and cloud-powered machine learning to help protect against the increasing threats of coin miners: Trojanized miners, mining scripts hosted in websites, and even legitimate but unauthorized coin mining applications.
Coin mining malware
Cybercriminals repackage or modify existing miners and then use social engineering, dropper malware, or exploits to distribute and install the trojanized cryptocurrency miners on target computers. Every month from September 2017 to January 2018, an average of 644,000 unique computers encountered coin mining malware.
Figure 1. Volume of unique computers that encountered trojanized coin miners
Interestingly, the proliferation of malicious cryptocurrency miners coincides with a decrease in the volume of ransomware. Are these two trends related? Are cybercriminals shifting their focus to cryptocurrency miners as primary source of income? It’s not likely that cybercriminals will completely abandon ransomware operations any time soon, but the increase in trojanized cryptocurrency miners indicates that attackers are definitely exploring the possibilities of this newer method of illicitly earning money.
We have seen a wide range of malicious cryptocurrency miners, some of them incorporating more sophisticated mechanisms to infect targets, including the use of exploits or self-distributing malware. We have also observed that established malware families long associated with certain modus operandi, such as banking trojans, have started to include coin mining routines in recent variants. These developments indicate widespread cybercriminal interest in coin mining, with various attackers and cybercriminal groups launching attacks.
The downward trend in ransomware encounters may be due to an observed shift in the payload of one of its primary infection vectors: exploit kits. Even though there has been a continuous decrease in the volume of exploit kit activity since 2016, these kits, which are available as a service in cybercriminal underground markets, are now also being used to distribute coin miners. Before ransomware, exploit kits were known to deploy banking trojans.
DDE exploits, which have also been known to distribute ransomware, are now delivering miners. For example, a sample of the malware detected as Trojan:Win32/Coinminer (SHA-256: 7213cbbb1a634d780f9bb861418eb262f58954e6e5dca09ca50c1e1324451293) is installed by Exploit:O97M/DDEDownloader.PA, a Word document that contains the DDE exploit. The exploit launches a cmdlet that executes a malicious PowerShell script (Trojan:PowerShell/Maponeir.A), which then downloads the trojanized miner: a modified version of the miner XMRig, which mines Monero cryptocurrency.
Other miners use reliable social engineering tactics to infect machines. Cybercriminals have been distributing a file called “flashupdate”, masquerading the file as the Flash Player. The download link itself—seen in spam campaigns and malicious websites—also uses the string “flashplayer”. Detected as Trojan:Win32/Coinminer, this trojanized coin miner (SHA-256 abbf959ac30d23cf2882ec223966b0b8c30ae85415ccfc41a5924b29cd6bd4db) likewise uses a modified version of the XMRig miner.
For cryptocurrency miners, persistence is a key element. The longer they stay memory-resident and undetected, the longer they can mine using stolen computer resources. While more traditional persistence mechanisms like scheduled tasks and autostart registry entries are common, cybercriminals can also use more advanced methods like code injection and other fileless techniques, which can allow them to evade detection.
One example of coin mining malware that uses code injection is a miner detected as Trojan:Win32/CoinMiner.BW!bit (SHA-256: f9c67313230bfc45ba8ffe5e6abeb8b7dc2eddc99c9cebc111fcd7c50d11dc80), which spawns an instance of notepad.exe and then injects its code. Once in memory, it uses some binaries related to legitimate cryptocurrency miners but runs them using specific parameters so that coins are sent to the attacker’s wallet.
We also came across a malicious PowerShell script, detected as TrojanDownloader:PowerShell/CoinMiner (SHA-256: 5d7e0fcf45004a7a4e27dd42c131bcebfea04f14540bd0f17635505b42a96d6e), that downloads mining code that it executes using its own parameters. It adds a scheduled task so that it runs every time the computer starts.
Spreading capabilities and other behaviors
Some coin miners have other capabilities. For example, a miner detected as Worm:Win32/NeksMiner.A (SHA-256: 80f098ac43f17dbd0f7bb6bad719cc204ef76015cbcdae7b28227c4471d99238) drops a copy in the root folder of all available drives, including mapped network drives and removable drives, allowing it to spread as these drives are accessed using other computers. It then runs legitimate cryptocurrency miners but using its own parameters.
As trojanized cryptocurrency miners continue evolving to become the monetization tool of choice for cybercriminals, we can expect the miners to incorporate more behaviors from established threat types.
Browser-based coin miners (cryptojacking)
Coin mining scripts hosted on websites introduced a new class of browser-based threats a few years ago. The increased interest in cryptocurrencies has intensified this trend. When the said websites are accessed, the malicious scripts mine coins using the visiting device’s computing power. While some websites claim legitimacy by prompting the visitor to allow the coin mining script to run, others are more dubious.
Some of these websites, usually video streaming sites, appear to have been set up by cybercriminals specifically for coin mining purposes. Others have been compromised and injected with the offending scripts. One such coin miner is hidden in multiple layers of iframes.
Figure 2. A sample coin mining script hidden in multiple layers of iframes in compromised websites
We have also seen have seen tech support scam websites that double as coin miners. Tech support scam websites employ techniques that can make it difficult to close the browser. Meanwhile, a coin mining script runs in the background and uses computer resources.
Figure 3. A sample tech support scam website with a coin mining script
Unauthorized use of legitimate coin miners
On top of malware and malicious websites, enterprises face the threat of another form of cryptocurrency miners: legitimate but unauthorized miners that employees and other parties sneak in to take advantage of sizable processing power in enterprise environments.
While the presence of these miners in corporate networks don’t necessarily indicate a bigger attack, they are becoming a corporate issue because they consume precious computing resources that are meant for critical business processes. Miners in corporate networks also result in additional energy consumption, leading to unnecessary costs. Unlike their trojanized counterparts, which arrive through known infection methods, non-malicious but unauthorized cryptocurrency miners might be trickier to detect and block.
In January 2018, Windows enterprise customers who have enabled the potentially unwanted application (PUA) protection feature encountered coin miners in more than 1,800 enterprise machines, a huge jump from the months prior. We expect this number to grow exponentially as we heighten our crackdown on these unwanted applications.
Figure 4. Volume of unique computers in enterprise environments with PUA protection enabled that encountered unauthorized coin miners
While non-malicious, miners classified as “potentially unwanted applications (PUA)” are typically unauthorized for use in enterprise environments because they can adversely affect computer performance and responsiveness. In contrast, trojanized miners are classified as malware; as such, they are automatically detected and blocked by Microsoft security products. Potentially unwanted applications are further differentiated from “unwanted software”, which are also considered malicious because they alter your Windows experience without your consent or control.
Apart from coin mining programs, potentially unwanted applications include:
- Programs that install other unrelated programs during installation, especially if those other programs are also potentially unwanted applications
- Programs that hijack web browsing experience by injecting ads to pages
- Driver and registry optimizers that detect issues, request payment to fix the errors, and remain on the computer
- Programs that run in the background and are used for market research
PUA protection is enabled by default in System Center Configuration Manager. Security administrators can also enable and configure the PUA protection feature using PowerShell cmdlets or Microsoft Intune.
Windows Defender AV blocks potentially unwanted applications when a user attempts to download or install the application and if the program file meets one of several conditions. Potentially unwanted applications that are blocked appear in the quarantine list in the Windows Defender Security Center app.
In September 2017, around 2% of potentially unwanted applications blocked by Windows Defender AV are coin miners. This figure has increased to around 6% in January 2018, another indication of the increase of these unwanted applications in corporate networks.
Figure 5. Breakdown of potentially unwanted applications
Protecting corporate networks from cryptocurrency miners
Windows 10 Enterprise customers benefit from Windows Defender Advanced Threat Protection, a wide and robust set of security features and capabilities that help prevent coin minters and other malware.
Windows Defender AV uses multiple layers of protection to detect new and emerging threats. Non-malicious but unauthorized miners can be blocked using the PUA protection feature in Windows Defender AV. Enterprises can also use Windows Defender Application Control to set code integrity policies that prevent employees from installing malicious and unauthorized applications.
Trojanized cryptocurrency miners are blocked by the same machine learning technologies, behavior-based detection algorithms, generics, and heuristics that allow Window Defender AV to detect most malware at first sight and even stop malware outbreaks, such as the massive Dofoil coin miner campaign. By leveraging Antimalware Scan Interface (AMSI), which provides the capability to inspect script malware even with multiple layers of obfuscation, Windows Defender AV can also detect script-based coin miners.
Coin mining malware with more sophisticated behaviors or arrival methods like DDE exploit and malicious scripts launched from email or Office apps can be mitigated using Windows Defender Exploit Guard, particularly its Attack surface reduction and Exploit protection features.
Malicious websites that host coin miners, such as tech support scam pages with mining scripts, can be blocked by Microsoft Edge using Windows Defender SmartScreen and Windows Defender AV.
Corporate networks face the threat of both non-malicious and trojanized cryptocurrency miners. Windows 10 S, a special configuration of Windows 10, can help prevent threats like coin miners and other malware by working exclusively with apps from the Microsoft Store and by using Microsoft Edge as the default browser, providing Microsoft-verified security.
Security operations personnel can use the advanced behavioral and machine learning detection libraries in Windows Defender Endpoint Detection and Response (Windows Defender EDR) to detect coin mining activity and other anomalies in the network.
Figure 6. Windows Defender EDR detection for coin mining malware
Windows Defender EDR integrates detections from Windows Defender AV, Windows Defender Exploit Guard, and other Microsoft security products, providing seamless security management that can allow security operations personnel to centrally detect and respond to cryptocurrency miners and other threats in the network.
Alden Pornasdoro, Michael Johnson, and Eric Avena
Windows Defender Research