Crypto Miners – The Silent CPU Killer of 2017
The Pirate Bay, the world’s largest BitTorrent indexer, is a massive online source for digital content– movies, games and software—and is among the top 100 most popular websites globally, according to Alexa. No stranger to controversy for its role in illegal downloads, a few weeks ago it was discovered that The Pirate Bay operators have begun using the website users’ computer resources to mine the Monero cryptocurrency, using a hidden JavaScript-based miner called CoinHive.
Until recently, websites that provide free services earned almost all their revenue through advertisements. Is the Pirate Bay example signaling that cryptocurrency mining may soon take over as the main revenue source?
A post published by The Pirate Bay operators on September 16
How does the rising popularity of cryptocurrency miners affect the cyber security landscape? In which cases is it a legitimate tool, and in which is it considered malware? In this report, we will answer these questions.
The first cryptocurrency that gained popularity and triggered the growth of the market and mining communities was BitCoin – the first decentralized coin. As time passed and BitCoin mining gained popularity, the computational resources required in order to stay in the game grew higher. The use of specialized hardware made it even harder for miners that used personal computers, be it threat actors using malware or solo miners, at a certain point, mining BitCoin and other leading cryptocurrencies such as Ethereum became non-profitable, taking into consideration the costs of the hardware and electricity. At this point, new miners entered the game – the new miners required far less CPU resources as they were a lot less popular and were mined by much smaller communities. Some of them, such as Monero, attempted to outgrow BitCoin by avoiding the coin’s biggest flaw – the lack of privacy. Naturally, new cryptocurrencies led to new crypto miners – both tools for the mining community, and malware.
Nowadays, a new use for crypto mining tools is taking over the internet – Javascript-based mining tools, which can be injected into popular websites both by the website owners and by threat actors.
The Birth of Crypto Miners, and Crypto Cyber Campaigns
The rising popularity of cryptocurrency, for both purchasing and for mining, has led to a significant growth of the mining community and cryptocurrency market worldwide. These in turn have produced a new kind of tool used to generate revenue: Crypto Miners.
While the term ‘crypto miner’ refers to tools that are available online, and can be used by the mining community, tools used by malicious actors upon infection are called ‘crypto mining malware’.
As with any new technology or advancement that has potential gain in it, the birth of cryptocurrencies also became a fertile ground for financially motivated cyber actors. To avoid the costs of expensive hardware, cybercriminals infect multiple systems in order to consume the victims’ CPU or GPU power and existing resources for crypto mining. By using different attack vectors, such as spam campaigns and Exploit Kits, they are able to turn the infected machines into troops of cryptocurrency miners.
Cryptocurrency mining is a computationally intensive task which requires powerful resources from specialized hardware and dedicated processors, and incurs significant electricity costs and investments in hardware. The BitCoin network generates a new block every 10 minutes, regardless of the number of active miners. This means that the entrance of new miners into the game does not necessarily accelerate the mining process, but may actually slow it down, as this increases the complexity of the mining operation.
As expected, the first cryptocurrency miners were designed to mine BitCoin, and emerged in 2011, shortly after BitCoin began gaining attention and popularity. One such miner was the Otorun worm. The infamous Kelihos, one of the largest botnets which was taken down by the FBI in April 2017, was also used for BitCoin mining. The recent development of tens of new cryptocurrencies has led to a variety of new crypto miners, with each one designed to mine a specific currency. All of the crypto miners leverage their victims’ computer resources, causing the infected machines to run abnormally slow.
Miners for the ‘Ethereum’, ‘Zcash’ and ‘Dogecoin’ currencies can currently be observed in the wild, though some sources say that mining these currencies using personal computers, even if a large number of bots is involved, is no longer profitable. Without a doubt, the top currency mined by threat actors these days is the Monero currency (see Appendix).
Crypto miners’ growing role in the treat landscape
Let’s take another look at the Pirate Bay Monero Miner case, and review the concerning role of web-based crypto miners in the treat landscape.
Currently, websites which do not provide paid services rely on advertisements for revenue. Many websites are loaded with ads, which heavily impact the user experience and accessibility of the actual content. Replacing the ads with a crypto miner, which uses a limited percentage of the CPU power of the website users, can be a good trade-off for website owners – it generates revenue for the owners and provides an improved and less intrusive experience for the end users.
The use of a web crypto miner such as CoinHive is as simple as it gets – the service provides a JavaScript which can be loaded into a website. When users access the website, the script mines the Monero currency based on the users’ CPU resources.
However, the security community must remain alert in light of such developments, as the crypto miners would have a clear interest to increase the percentage of the computer resources consumed, and perhaps even leverage their access and elevate their privileges over the users’ machines.
The Pirate Bay case immediately made headlines and led to a stream of customer questions and complaints. An online search for similar cases yielded no results. Does this mean The Pirate Bay case is an outlier, or is it actually just one of many examples of a trend currently flying under the radar?
An investigation conducted by Check Point researchers reveals that cryptocurrency miners have knowingly been injected into some top websites, mostly media streaming and file sharing services, without notifying the users. According to our research, those miners regularly use as much as 65% of the end-users’ CPU power.
Example 1: Uptobox.com is a file hosting service ranked 70 in France and 672 globally according to Alexa. The website uses its users’ CPU power to mine the Monero cryptocurrency without notification.
Example 2: Vidzi.tv is a video sharing service ranked 659 in the US and 788 globally. The website uses its users’ CPU power to mine the Monero cryptocurrency without notification.
Using movie streaming websites for mining is the ultimate way to consume clients’ computer resources while remaining under the radar. Normally, users select their preferred content and watch the movie, leaving the browser unmonitored for at least an hour. It’s easy and convenient, and the top movie streaming websites can generate some fine revenue for the operation’s owners.
The CPU Usage of an ordinary laptop while accessing the movie streaming service WatchFree.to, ranked 1,076 in the US and 1,625 by Alexa. The overall CPU usage of the machine while accessing the website is 69%.
The brains behind such an operation can be either the website owners themselves who want to generate revenue without resorting to copious advertisements, or threat actors who inject a code to enable the mining activity via a popular website’s user base.
The above example demonstrates the use of a separate JavaScript file for the mining operation. In the example below, we see how to inject the CoinHive Monero miner into a webpage, which is most likely done by the website owner.
uptostream.com is a movie streaming service, ranked 573 in France and 7,698 globally. This service mines the Monero currency while using its users’ computer resources without notification.
When we examine the integration of the cryptocurrency miner into the vidzi.tv page, we can see the use of a non-official method – one that is different than the one CoinHive offers for use on their official website. This page was most likely compromised by malicious actors and was surreptitiously injected with the miner.
The injection of the CoinHive Monero miner into vitzi.tv, using a non-official method
The examples presented above are only a few out of tens of cases observed during one week of research in September 2017. Each of these examples demonstrates a different way to integrate the miner into the website. All of them consume a significant percentage of CPU power, yet only in some cases can the percentage and number of threads be controlled by the website owner. Some websites were found to be related to each other, which may imply that an organized mining operation is taking place. In other cases, inactive domains, which according to Alexa remain highly popular, were found to be mining cryptocurrency. This might mean that several other websites are silently redirecting their users to this page.
The Case of the Adylkuzz Monero Miner
One of the most noticeable cryptocurrency miners of 2017 is Adylkuzz, a malware which mines the Monero currency on its victims’ machines. While it may have been active in late April or early May, Adylkuzz notably emerged on May 15, 2017, only three days after the start of the global spread of the WannaCry ransomware campaign. Adylkuzz shares some similarities with WannaCry. It uses the EternalBlue exploit, which was made available to the public as part of the Shadow Brokers hacking group leak of NSA tools, to locate vulnerable machines and spread laterally within infected networks. It also uses the DoublePulsar backdoor to install its payload. Interestingly, an Adylkuzz attack shuts down SMB networking to prevent infection with other malware. Therefore, the Adylkuzz attack may have had an effect on the WannaCry ransomware spread. The close proximity of these two large-scale campaigns and the publicity gained by the WannaCry ransomware may have caused the Adylkuzz attacks to be attributed to WannaCry. What we saw in Adylkuzz demonstrates that cryptocurrency miners are now using similar attack vectors and increasing their share of the cyber landscape.
An examination of the malware’s infection statistics through the Check Point ThreatCloud shows that Adylkuzz had a clear spike in its attack rate right when it first emerged and in parallel to the WannaCry campaign. It is still active.
Adylkuzz Malware Activity – The graph presents the Adylkuzz malware’s attack rate as of May 15, 2017
As the WannaCry ransomware and Adylkuzz miner campaigns, which use similar tools and techniques, began at the same time, they are believed to share similar targets. The top countries attacked by WannaCry include Russia, Ukraine, India and Taiwan.
Now, let’s examine the top countries infected by Adylkuzz malware:
As shown above, Adylkuzz targets are spread all over the world, with no clear orientation to a specific region.
WannaCry had no predefined targets. The ransomware was spread to a random C-Class IP range, while seeking vulnerable public facing SMB ports against which it could leverage the EternalBlue exploit. Therefore, we can estimate that Adylkuzz was spread in a similar way.
Summary
According to CNBC, as of August 2017, the cryptocurrency market was worth about $141 billion. While BitCoin was the first prominent cryptocurrency accepted by online markets and used by cybercriminals, today, tens of cryptocurrencies are widely used for both legitimate purposes, and by threat actors for non-legitimate and often fraudulent purposes.
The popularity of the various currencies among cryptocurrency miners is determined mostly based on the profitability that lies in mining the coin. As the use of a digital currency rises, so does the need to mine it. This is why in recent months we see an increase in the number of Crypto Mining malware campaigns making headlines.
The Adylkuzz campaign’s use of EternalBlue and DoublePulsar highlights another increasing trend: Crypto Mining malware leveraging attack tools and vectors used by other malware and threat actors.
As the public is not yet fully aware of the prevalence of this new malware type, it is often harder to detect, as was the case of Adylkuzz and WannaCry. We have no doubt that a new, silent yet significant actor, has slowly entered the threat landscape, letting threat actors monetize while victims’ endpoints and networks suffer from latency and decreased performance. This new threat is here to stay.
Check Point NGTP and NGTX customers are protected against infection by crypto miners and against the damaging consequences of their mining activity.
To learn more about bitcoins and cryptocurrencies and understand if your cyber security may be at risk, download our guide “Cryptocurrencies: How Safe are They?”
Background for this research
Appendix 1 – BitCoin and other Cryptocurrencies
Cryptocurrency is an encrypted digital asset used as a medium of exchange to perform secured transactions. It uses cryptography both to protect the data string which represents a unit of currency, and to control the creation process of additional currency units. Cryptocurrencies are created in a process called mining, which is based on mathematical proof and on cryptographic algorithms.
In contrast to physical money, cryptocurrencies are not issued and managed by one central authority. They are decentralized – organized and controlled by a peer-to-peer network called Blockchain, which verifies all transactions and serves as the currency’s ledger.
While it wasn’t the first ever digital coin, BitCoin is the first decentralized cryptocurrency. It was created in 2009, with the intention to become a public currency independent of any central authority or high transaction fees. In July 2010, the value of a BitCoin was 6 cents. As of September 2017, a single BitCoin is worth $4,950 – an increase of 8,249,900%.
BitCoin mining is the process by which transactions are verified and added to the Blockchain, and also the means through which new BitCoins are released. Anyone with access to the internet can participate in mining. Currently, it takes approximately 98 years to mine a BitCoin block (25 BTC), due to the mining difficulty, that limits the amount of BitCoins. Therefore, there are several pools that use joint computational resources to mine a single BitCoin block.
Appendix 2 – BitCoin Wallets
A BitCoin wallet is anonymized, which means it is not linked to a name, address or any personal identification. However, information about all transactions ever made using BitCoin is stored in the Blockchain and is available to the public. While the identity of the owner remains hidden, anyone can tell how many BitCoins are stored in a specific wallet at any given moment.
While BitCoin is still the most famous cryptocurrency, new digital currencies are constantly created and made as accessible to developers as possible. Some of them, such as ‘Litecoin’, ‘Monero’ and ‘Ethereum’, are already heavily traded online, and hundreds of others are used by small communities.
Digital currency is increasingly used to purchase products online, as the purchase is made quickly, without delays or intermediate charges. Another huge advantage of cryptocurrency lies in its security – the user credentials are not exposed in the process, and thus fraud and identity theft are a lot more difficult to carry out. These qualities, meant to protect the end-user, make cryptocurrency ideal for cybercriminals – and indeed, most ransomware demands payment using BitCoins. Some of them obfuscate the transaction even further, as observed in the case of Cerber ransomware.
Cerber Bitcoin Flow – The transaction involves a BitCoin Mixing Service to avoid detection of the BitCoin wallets used by the author and by the ransomware’s affiliates.
Appendix 3 – The Monero cryptocurrency
Looking back at the biggest crypto mining campaigns carried out during 2017 so far, the vast majority of those involved Monero miners. Major campaigns include:
- January – A Terror Exploit Kit campaign which distributed a Monero Cryptocurrency Miner
- June – A campaign targeting Linux machines which leveraged a vulnerability in Samba installations to distribute a Monero miner dubbed ‘cpuminer’ or ‘EternalMiner’, due to the proximity to the WannaCry ransomware
- August – A campaign targeting MAC users via a cheating app vHook which distributed a Monero Miner dubbed Pwnet
The Monero cryptocurrency was created in April 2014. In September of that year, it was the victim of an attack which leveraged a flaw in the code of the protocol used by its cryptocurrency. The Monero cryptocurrency experienced a rapid growth in market capitalization in 2016, when it was adopted by the AlphaBay market, formerly the biggest market on the dark web. Monero has been the subject of growing interest lately, and thus more and more Monero miners – including ‘CoinHive’, the miner used by The Pirate Bay – are now offered for sale on online markets.
The reason for Monero’s popularity is first of all its technology. Monero uses a protocol called ‘CryptoNote’, which is used by several other cryptocurrencies as well, and an algorithm called ‘CryptoNight.’ This algorithm is designed to run fast on personal computers and laptop CPUs, as opposed to the algorithm used by many other coins, which only run well on custom-made mining chips. Additionally, a Monero block is produced approximately every two minutes and has an automatically adaptive block size limit, which means that it can handle an increase in the transaction volume without causing a delay if a user attempts an immediate transaction. A BitCoin block, in contrast, is produced approximately every ten minutes and has a maximum size. If there is no room in the block, a transaction must either be delayed, or the user must increase the transaction fee. Lastly, Monero is considered to be a secured and untraceable coin. Unlike BitCoin, the amount of coins stored in a Monero wallet is not accessible to the public.
Check Point customers are protected against this threat with the following IPS protection (link):