According to the 2018 IBM X-Force Threat Intelligence Index, the frequency and sophistication of malicious cryptocurrency mining, also called “cryptojacking,” has increased drastically in the past year. This mining is changing malicious actors’ priorities: While they had previously targeted companies’ data and financial assets, they are now seeking to extract value from organizations’ computing resources.

As a result, industries with powerful computers and relatively weak defenses — such as scientific research institutions and media companies — are suddenly caught in the crosshairs.

A Brief History of Cryptocurrency Mining

Cryptocurrency mining emerged when bitcoin, the first decentralized cryptocurrency, hit the scene in 2009. The process of mining cryptocurrency requires computationally intensive calculations to verify transactions, and miners are rewarded with cryptocurrency for this labor-intensive work. Since mining is a competitive process, it requires extensive computing power.

When bitcoin was first introduced, general-purpose central processing units (CPUs) could be used to mine it. But with each coin mined, the calculations required to mine the next coin become more complicated — demanding more computing power and more time to solve.

The mining applications that followed were developed to harness the power of graphics processing units (GPUs) to work more efficiently than mining with CPUs. GPUs are commonly used in enterprise settings, but they are also used for PC gaming, rendering graphics, scientific modeling and a variety of other complex tasks.

Today, bitcoin is mined with specialized application-specific integrated circuits (ASICs), which are optimized for the bitcoin algorithm, making general-purpose GPUs much less desirable for this purpose. However, bitcoin is no longer the only valuable cryptocurrency being mined.

New cryptocurrencies, such as Ethereum and Monero, are ASIC-resistant and better suited for mining by general-purpose computers. The creators of these cryptocurrencies worried about the centralization of bitcoin mining because of ASICs. Therefore, they created mining algorithms that harness memory capacity and speed. As a result, these new coins can be mined with general-purpose computers — triggering the rapid growth of mining malware across the globe.

The Difference Between Web- and Host-Based Mining Malware

Current mining malware can be divided into two major groups: web- and host-based malware.

Web-based mining malware is hosted on a website and activates when a user browses on an infected page. It is often written in JavaScript and executes as a web application on the local machine. This type of malware typically mines currencies like Monero, which is well-suited for mining via CPUs. Web-based miners are difficult to detect or stop because — while they don’t install themselves on local machines — they exploit local machines for their own purposes, unbeknownst to the users. Potential consequences of this type of attack include significant performance degradation, crashes and even overheating for mobile devices, according to ZDNet.

Host-based mining malware is a malicious application installed natively on the system, typically by a dropper-type Trojan. Often, the malware is just standard mining software running in a windowless mode in the background.

Other times, however, it’s more sophisticated. For example, the malware may use process-hollowing techniques to execute itself and then disguise the mining application’s process inside a legitimate system process — making it harder for users and antivirus solutions to identify and remove it. Host-based malware has better access to system resources, including the computer’s GPU, making it potentially much more lucrative for cybercriminals.

Additionally, the miner can schedule its activity for ideal times — so the user does not feel any performance impact — giving the cryptojacking better longevity on infected machines.

One example of host-based cryptojacking was reported in February 2017 when malicious actors breached a popular software download site to infect Apple product updates with mining malware, according to Help Net Security. Apple OSX computers are known for their high-end hardware, making them appealing targets for mining malware.

New Strategies Mean New Targets

Mining malware represents a relatively new threat to businesses. Unlike ransomware, it exploits hardware resources rather than the value of data. Businesses typically have large internal networks, which translates to heavy processing power.

As more companies move to cloud-based storage solutions, ransomware is becoming less effective at generating profit for criminals. Business owners with cloud storage can simply wipe their systems and restore their files from those backups. Attackers slinging mining malware aren’t interested in collecting ransom payments. As soon as a miner starts working, its operator can start raking in profits in the form of cryptocurrency.

Also, mining malware is much stealthier than ransomware because it doesn’t need to alert the user in any way. While ransomware notifies the user of its presence as a way to elicit payment, mining malware can run in the background for months — or even years — before discovery, especially if security professionals aren’t actively looking for it.

Since mining performance is determined by hardware performance, infecting high-end workstations and desktops is a priority for threat actors. This tactic is bad news for creative and scientific industries that use powerful computers to develop films, animations and games or conduct complex research. These types of organizations are also less likely to have invested in security and more likely to have awareness gaps.

What Can Companies Do to Limit the Threat of Cryptojacking?

Mining malware poses a serious threat to businesses across all sectors. Computers infected with host-based malware can be further infected with ransomware, spyware and other malicious applications. Organizations should educate their users and security leaders about the threat and take a proactive approach to detect it on enterprise endpoints.

Businesses should also invest in anti-malware programs to block known variants of mining malware and implement controls to identify mining activity. A security information and event management (SIEM) tool, for example, can alert security teams to high CPU and GPU usage during nonbusiness hours. Finally, behavioral analytics tools can help analysts identify abnormal patterns in resource usage with automation.

Interested in emerging security threats? Read the latest IBM X-Force Research

More from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Detections That Can Help You Identify Ransomware

12 min read - One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

Trickbot rising — Gang doubles down on infection efforts to amass network footholds

11 min read - IBM X-Force has been tracking the activity of ITG23, a prominent cybercrime gang also known as the TrickBot Gang and Wizard Spider. Researchers are seeing an aggressive expansion of the gang’s malware distribution channels, infecting enterprise users with Trickbot and BazarLoader. This move is leading to more ransomware attacks — particularly ones using the Conti ransomware. As of mid-2021, X-Force observed ITG23 partner with two additional malware distribution affiliates — Hive0106 (aka TA551) and Hive0107. These and other cybercrime vendors…