According to the 2018 IBM X-Force Threat Intelligence Index, the frequency and sophistication of malicious cryptocurrency mining, also called “cryptojacking,” has increased drastically in the past year. This mining is changing malicious actors’ priorities: While they had previously targeted companies’ data and financial assets, they are now seeking to extract value from organizations’ computing resources.

As a result, industries with powerful computers and relatively weak defenses — such as scientific research institutions and media companies — are suddenly caught in the crosshairs.

A Brief History of Cryptocurrency Mining

Cryptocurrency mining emerged when bitcoin, the first decentralized cryptocurrency, hit the scene in 2009. The process of mining cryptocurrency requires computationally intensive calculations to verify transactions, and miners are rewarded with cryptocurrency for this labor-intensive work. Since mining is a competitive process, it requires extensive computing power.

When bitcoin was first introduced, general-purpose central processing units (CPUs) could be used to mine it. But with each coin mined, the calculations required to mine the next coin become more complicated — demanding more computing power and more time to solve.

The mining applications that followed were developed to harness the power of graphics processing units (GPUs) to work more efficiently than mining with CPUs. GPUs are commonly used in enterprise settings, but they are also used for PC gaming, rendering graphics, scientific modeling and a variety of other complex tasks.

Today, bitcoin is mined with specialized application-specific integrated circuits (ASICs), which are optimized for the bitcoin algorithm, making general-purpose GPUs much less desirable for this purpose. However, bitcoin is no longer the only valuable cryptocurrency being mined.

New cryptocurrencies, such as Ethereum and Monero, are ASIC-resistant and better suited for mining by general-purpose computers. The creators of these cryptocurrencies worried about the centralization of bitcoin mining because of ASICs. Therefore, they created mining algorithms that harness memory capacity and speed. As a result, these new coins can be mined with general-purpose computers — triggering the rapid growth of mining malware across the globe.

The Difference Between Web- and Host-Based Mining Malware

Current mining malware can be divided into two major groups: web- and host-based malware.

Web-based mining malware is hosted on a website and activates when a user browses on an infected page. It is often written in JavaScript and executes as a web application on the local machine. This type of malware typically mines currencies like Monero, which is well-suited for mining via CPUs. Web-based miners are difficult to detect or stop because — while they don’t install themselves on local machines — they exploit local machines for their own purposes, unbeknownst to the users. Potential consequences of this type of attack include significant performance degradation, crashes and even overheating for mobile devices, according to ZDNet.

Host-based mining malware is a malicious application installed natively on the system, typically by a dropper-type Trojan. Often, the malware is just standard mining software running in a windowless mode in the background.

Other times, however, it’s more sophisticated. For example, the malware may use process-hollowing techniques to execute itself and then disguise the mining application’s process inside a legitimate system process — making it harder for users and antivirus solutions to identify and remove it. Host-based malware has better access to system resources, including the computer’s GPU, making it potentially much more lucrative for cybercriminals.

Additionally, the miner can schedule its activity for ideal times — so the user does not feel any performance impact — giving the cryptojacking better longevity on infected machines.

One example of host-based cryptojacking was reported in February 2017 when malicious actors breached a popular software download site to infect Apple product updates with mining malware, according to Help Net Security. Apple OSX computers are known for their high-end hardware, making them appealing targets for mining malware.

New Strategies Mean New Targets

Mining malware represents a relatively new threat to businesses. Unlike ransomware, it exploits hardware resources rather than the value of data. Businesses typically have large internal networks, which translates to heavy processing power.

As more companies move to cloud-based storage solutions, ransomware is becoming less effective at generating profit for criminals. Business owners with cloud storage can simply wipe their systems and restore their files from those backups. Attackers slinging mining malware aren’t interested in collecting ransom payments. As soon as a miner starts working, its operator can start raking in profits in the form of cryptocurrency.

Also, mining malware is much stealthier than ransomware because it doesn’t need to alert the user in any way. While ransomware notifies the user of its presence as a way to elicit payment, mining malware can run in the background for months — or even years — before discovery, especially if security professionals aren’t actively looking for it.

Since mining performance is determined by hardware performance, infecting high-end workstations and desktops is a priority for threat actors. This tactic is bad news for creative and scientific industries that use powerful computers to develop films, animations and games or conduct complex research. These types of organizations are also less likely to have invested in security and more likely to have awareness gaps.

What Can Companies Do to Limit the Threat of Cryptojacking?

Mining malware poses a serious threat to businesses across all sectors. Computers infected with host-based malware can be further infected with ransomware, spyware and other malicious applications. Organizations should educate their users and security leaders about the threat and take a proactive approach to detect it on enterprise endpoints.

Businesses should also invest in anti-malware programs to block known variants of mining malware and implement controls to identify mining activity. A security information and event management (SIEM) tool, for example, can alert security teams to high CPU and GPU usage during nonbusiness hours. Finally, behavioral analytics tools can help analysts identify abnormal patterns in resource usage with automation.

Interested in emerging security threats? Read the latest IBM X-Force Research

More from Advanced Threats

Hive0051 goes all in with a triple threat

13 min read - As of April 2024, IBM X-Force is tracking new waves of Russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) activity featuring new iterations of Gamma malware first observed in November 2023. These discoveries follow late October 2023 findings, detailing Hive0051's use of a novel multi-channel method of rapidly rotating C2 infrastructure (DNS Fluxing) to deliver new Gamma malware variants, facilitating more than a thousand infections in a single day. An examination of a sample of the lures associated with the ongoing activity reveals…

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today