Data from the “IBM X-Force Threat Intelligence Index” for 2018 illustrated that threat actors have been increasingly using malicious cryptomining, aka cryptojacking attacks, to easily monetize their access to systems with minimal risk. The 2019 report showed that threat actors continue to use these attacks to compromise systems and generate a revenue stream.

There are two types of cryptomining attacks that have been making the rounds since 2018:

  1. Malicious mining via compromised websites, also known as cryptojacking. This activity takes place in-browser.
  2. Malware-based cryptomining attacks on a user’s device. This activity relies on the device’s central processing unit (CPU) power.

In 2018, X-Force saw a majority of browser-based mining versus the malware-based variety. In fact, our data shows a nearly 2-1 ratio, respectively. This attack tactic is becoming a rising issue; cryptojacking presents a unique challenge for organizations to detect and mitigate because malicious scripts are almost always hosted outside the organization’s zone of control.

Cryptojacking definitely trended in 2018, but are tides about to turn? X-Force data from late 2018 and early 2019 showed that browser-based cryptojacking attacks are on the decline while also revealing a notable increase in malware-based attacks.

Cryptomining Malware: A Primer

The value and popularity of cryptocurrency have been growing across the globe, and criminals are always looking for ways to generate passive income. One of the ways they tie the two together is by using coin-mining malware. Research from X-Force has addressed cryptocurrency miners before. To review, cryptominers are placed on an infected machine or device and use its native processing power to mine for cryptocurrency.

Historically, threat actors have targeted individual user boxes to drop cryptocurrency miners on, but recent research from X-Force Incident Response and Intelligence Services (IRIS) suggested that since at least 2017, threat actors have also tried to infect targeted internet of things (IoT) devices despite their low processing power.

What Could Be Driving a Shift to Cryptojacking?

Why would threat actors use malicious cryptomining instead of focusing on other attacks such as ransomware, for example? Threat actors can see some success in getting their malware on user devices, but for those motivated by monetary gain, converting that access into spendable currency has always been a challenge.

Over time, cybercriminals have tried different methods, such as selling stolen data, locking a device and demanding ransom payment from its owner, and selling a remote shell to the compromised device to other threat actors who can then deploy their own attack tactics on that device.

All of these tactics primarily require other people to become involved in their success — an option most criminals prefer to forego if only to avoid sharing the spoils. But they can’t sell access or data without a buyer, nor can they profit from ransomware without someone on the other end willing to pay. To minimize interaction with other parties, including victims who may or may not pay, many criminals evidently prefer cryptojacking. These attacks are suited for cybercriminals at any skill level, do not require much in terms of interaction with third parties and can be monetized relatively easily when compared with malware operations such as ransomware and banking Trojans.

To get into user devices, threat actors often deploy cryptomining malware via command injection attacks against enterprise-level assets, such as vulnerable applications in content management systems (CMSs). In instances observed by X-Force IRIS, attackers have attempted to plant malicious images on victims’ machines using wget and curl shell commands when victims simply visit a malicious page via a link in an email or through a compromised site.

2018: The Rise of Cryptomining in the Browser

Browser-based cryptojacking involves a threat actor infecting a web server or website and then injecting a cryptomining script into an otherwise legitimate website. Alternatively, the script can be inserted into an online advertisement, whether malicious or wholly illegitimate, and used with a legitimate ad service so that the script runs every time the browser is open.

X-Force research saw an explosion of cryptojacking activity in 2018, with cryptojacking attacks far exceeding all other forms of coin theft attacks.

Some of this rise in browser-based cryptojacking comes from unintended sources, such as vendors who sell cryptojacking scripts as an alternative to running advertisements on websites. The initial purpose is legitimate, but they can also be used by attackers who run them on compromised websites. One of the largest providers of mining scripts of that type was Coinhive, an organization that pioneered the sale of these scripts. As a result of frequent use of Coinhive scripts in cryptojacking attacks, users and security professionals would often see the name “Coinhive” or “Coinhive.Miner” appear as a malicious issue. In March 2019, Coinhive voluntarily ceased operations.

Figure 1: Cryptojacking attacks exceeded malware cryptomining attacks by a nearly 2-1 ratio in 2018 (source: IBM X-Force)

Cryptojacking Was Big in 2018, So Why Shift to Cryptomining Malware in 2019?

As our data shows, browser-based cryptojacking was big in 2018. But as we moved into 2019, our data started showing a decline in that type of attack and a return to malware-based cryptojacking. A number of factors could be contributing to this shift.

One possibility is that the recent drop in cryptocurrency prices has made mining in the browser less profitable. Since the browser is merely an application on a device, it cannot generate the same computing power as infecting the actual device. As a result, this type of cryptojacking takes much longer to generate each coin, which may be incentivizing threat actors to refocus on malware infections to speed things up.

Additionally, sharply reduced cryptocurrency value could encourage actors to move to an entirely different revenue stream, causing cryptomining malware to have a higher proportion of activity even though nominal levels may have dropped.

Threat actors could also be temporarily shifting away from browser-based cryptojacking if they relied on Coinhive to provide them with scripts. With Coinhive gone, threat actors would have to go to other script providers. While there are many other providers of the same sort of scripts, the removal of Coinhive could affect the overall ability of the technically unskilled to create web-based cryptojacking attacks.

Don’t rejoice just yet — browser-based cryptojacking may see a resurgence in the near future due to the recent and sharp drop in the Monero hash rate. A reduced hash rate makes mining each coin less computationally intensive, making cryptojacking a more profitable option despite its lower harvesting power.

Which Should I Worry About More: Browser-Based Cryptojacking or Cryptomining Malware?

The short answer is both. X-Force data indicates that while browser-based cryptojacking was increasingly popular through most of 2018, cryptomining malware made a resurgence at the end of 2018 and into the first quarter of 2019.

Figure 2: IBM X-Force data showing the rise and fall of cryptojacking popularity (source: IBM X-Force)

Browser-based cryptojacking was very popular with threat actors earlier in 2018, likely due to the following factors:

  • Without having to use malware and maintain a botnet, browser-based attacks can be easier for cybercriminals to set up compared to other forms of cryptomining attacks.
  • Threat actors needed only to infect a single web server to deploy a cryptojacking script to all visitors of that site and any other sites hosted thereon.
  • Cryptojacking is tougher for organizations to mitigate than cryptomining malware, since the infection occurs outside the organization on an unaffiliated server and takes advantage of users browsing to a compromised resource. In most cases, when the company’s security team sees alerts for mining activity, there isn’t much it can do to clean up within the company’s own devices. While one could notify the web server’s owner of the compromise, they may not know what to do about it or fail to address the issue.
  • With browser-based cryptojacking, a threat actor can forego wide-cast infection campaigns and the need to infect myriad devices. Instead, they aim to compromise a few web servers and expect to reach untold numbers of site visitors.

Figure 3: Browser-based cryptojacking resides outside an organization’s zone of control (source: IBM X-Force)

Some Tips for Defenders

Malicious cryptomining and browser-based cryptojacking attacks are plentiful, but they are not impossible to defend against. Here are some tips for defenders from our X-Force IRIS threat intelligence specialists:

  • Engage in a thorough risk assessment to determine the acceptable risk appetite for malicious cryptomining activity for the organization.
  • Restrict outbound calls to cryptomining pools to help detect and prevent cryptomining within the organization’s environments.
  • Where feasible, disable JavaScript in browsers to directly prevent cryptojacking scripts from executing.
  • Update host-based detection signatures to include the latest cryptomining malware and, if possible, alert on significantly anomalous processor activity that may be indicative of ongoing cryptomining malware infections.
  • Continue updating intrusion detection and prevention system (IDS/IPS) signatures to help block the latest cryptojacking scripts.
  • Work closely with network security operations to block traffic to and from known cryptojacking addresses that can be obtained from a threat intelligence provider or maintained internally.
  • Educate stakeholders on the difference between browser- and device-based cryptojacking to facilitate better informed conversations on the organization’s cybersecurity posture.

Join X-Force Exchange to stay up to date on cryptojacking campaigns

More from Risk Management

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Worms of Wisdom: How WannaCry Shapes Cybersecurity Today

WannaCry wasn't a particularly complex or innovative ransomware attack. What made it unique, however, was its rapid spread. Using the EternalBlue exploit, malware could quickly move from device to device, leveraging a flaw in the Microsoft Windows Server Message Block (SMB) protocol. As a result, when the WannaCry "ransomworm" hit networks in 2017, it expanded to wreak havoc on high-profile systems worldwide. While the discovery of a "kill switch" in the code blunted the spread of the attack and newly…

Why Operational Technology Security Cannot Be Avoided

Operational technology (OT) includes any hardware and software that directly monitors and controls industrial equipment and all its assets, processes and events to detect or initiate a change. Yet despite occupying a critical role in a large number of essential industries, OT security is also uniquely vulnerable to attack. From power grids to nuclear plants, attacks on OT systems have caused devastating work interruptions and physical damage in industries across the globe. In fact, cyberattacks with OT targets have substantially…

Resilient Companies Have a Disaster Recovery Plan

Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly. Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS)…