Cryptocurrency is exploding all over the world, and so are attacks involving cryptocoins. From bitcoin to Ethereum and Monero, cybercriminals are stealing coins via phishing, malware and exchange platform compromises, causing tremendous losses to both consumers and businesses in the sector.

High-profile data breaches and theft are responsible for the majority of losses to organizations in the cryptocurrency sector, but there is another, more insidious threat that drains cryptocurrency at a slow and steady rate: malicious crypto-mining, also known as cryptojacking.

This scheme exploits end users’ CPU/GPU processing power through compromised websites, devices and servers. This type of malware is wielded by operators aiming to make money on the backs of their victims. Aside from the obvious performance degradation victims will experience, mining can cause machines to consume tons of electricity and overheat to the point of damage, causing unexpected data loss that may be hard to recover. In one case in Russia, this overheating resulted in a full-out blaze.

Among the many codes that already plague users and organizations with illicit crypto-mining, it appears that a precursor has emerged: a code base known as XMRig that spawns new offspring without having intended to.

The Code Reuse Problem

The malware world can spawn millions of different strains a year that infect users with codes that are the same or very similar. Code reuse often happens because malware developers won’t reinvent the wheel if they don’t have to.

In the banking Trojan world, the most infamous example is the Zeus v2 source code, which was leaked in 2011 and has since been used countless times, either as-is or in variations adapted to different targets or geographies. Some examples of Zeus codes are Zeus Panda and Sphinx, but the same DNA also lives in Atmos and Citadel. Parts of it, particularly the injection mechanism, are featured in many other banking Trojans.

A similar code leak scenario and subsequent reuse happened in the mobile space with the leak of the GM Bot code in 2016. That source code spurred the rise of many other mobile Trojans, including Bankosy, Mazar and SlemBunk, to name a few. The mobile malware arena saw a second precursor emerge when another source code, BankBot, was also leaked in early 2017, giving rise to additional foes.

Looking at the cryptojacking arena, which started showing increased activity in mid-2017, it’s easy to notice that the one name that keeps repeating itself is XMRig. Although not inherently malicious, this code’s unrestricted availability makes it popular among malicious actors who adapt it for the illicit mining of Monero cryptocurrency.

Why Monero?

Monero, which means “coin” in Esperanto, is a decentralized cryptocurrency that grew from a fork in the ByteCoin blockchain. The project itself is open source and crowdfunded.

Unlike earlier cryptocoins, Monero, which started in 2014, boasts easier mining and untraceable transactions and has seen its value rise over time. The proof of work algorithm, CryptoNight, favors computer or server CPUs, in contrast to bitcoin miners, which require relatively more expensive GPU hardware for mining coins.

These features attract new, legitimate miners, but they are just as attractive to cybercriminals looking to make money without having to invest much of their own resources. They resort to using malware or simply reworking XMRig to mine Monero.

XMRig: The Choice of Malicious Monero Miners

The Monero Project does not endorse any particular tool, software or hardware for miners. While there are at least three other codes available, the popular choice among cybercriminals appears to be the open source XMRig code.

According to existing research on the malicious use of XMRig, black-hat developers have hardly applied any changes to the original code. Past modifications show some changes to hardcoded command-line arguments that contain the attacker’s wallet address and mining pool URL, plus changes to a few arguments that kill all previously running instances of XMRig to ensure no one else benefits from the same hardware. Changes of this scope could take mere minutes to perform.

Since it is an open source project, XMRig usually sends a donation of 5 percent of the revenue gained from mined coins to the code author’s wallet address. Malicious iterations of XMRig remove that snippet and the attackers collect 100 percent of the spoils.

Some examples of malware names that were spawned from the XMRig code and showed up in recent attacks are RubyMiner and WaterMiner.

In terms of the attack scale of miners based on XMrig, the numbers are surprising. In January 2018, researchers identified 250 unique Windows-based executables used on one XMRig-based campaign alone. The overall infection operation was padded with its own download zone from a cloud storage platform, used XMRig proxy services to hide the destination mining pool and even connected the campaign with a cloud-hosted cryptocurrency mining marketplace that connects sellers of hashing power with buyers to maximize profits for the attacker.

The Vulnerable Resource Predicament

Cryptojacking can happen on various types of devices, and millions of users have been infected in recent attacks. With malware, the goal is to successfully infect as many endpoints as possible, and X-Force assessment of recent attacks shows that threat actors will attempt to target anything that can lend them free computing power. Aside from the more common endpoint or server, cryptojacking has also been observed on:

Although it may seem like any device will do, the most attractive miners are servers, which have more power than the aforementioned devices, 24/7 uptime and connectivity to a reliable power source. Server CPU/GPUs are a fit for Monero mining, which means that XMRig-based malware could enslave them to continuously mine for coins.

Server vulnerabilities exist because many organizations still run outdated systems and assets that are past their end of life, resulting in easy-to-find exploits that compromise and infect them. Worse yet, our researchers believe that older servers that have not been patched for a while are also unlikely to be patched in the future, leaving them susceptible to repeated exploitation and infection. These attacks are reaching organizations in the wild, and a recent report from IBM X-Force noted that network attacks featuring cryptocurrency CPU miners have grown sixfold.

The industrial sector is known to run outdated operating systems and software, leaving it particularly vulnerable. Many times, the internal and operational networks in critical infrastructure can open them up to the increased risk. While data loss would be an issue to any organization, it can potentially result in life-threatening situations at an industrial plant.

Seek and Destroy

The world of cryptojacking malware is undergoing rapid evolution, and although permutations of XMRig will likely continue to occur, there is also a threat that new codes will appear this year. Mitigating the risk from known threats should be an integral part of your cyber hygiene and security management practices. While malware hunting is often regarded as a whack-a-mole endeavor, preventing XMRig-based malcode is easier because of its prevalence in the wild.

Since XMRig is open source and keeps getting reused in attacks, security teams should look into controls that deliver blanket protection and eliminate different iterations of this code. For those running older servers and operating systems in which risk of infection is higher, security best practices call for minimizing exposure, implementing compensating controls and planning for a prompt upgrade to dampen risks.

Interested in emerging security threats? Read the latest IBM X-Force Research

More from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

4 min read

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

4 min read

Detections That Can Help You Identify Ransomware

12 min read - One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

12 min read

How to Report Scam Calls and Phishing Attacks

5 min read - With incidents such as the Colonial Pipeline infection and the Kaseya supply chain attack making so many headlines these days, it can be easy to forget that malicious actors are still preying on individual users. They're not using ransomware to do that so much anymore, though. Not since the rise of big game hunting, anyway. This term marks ransomware actors' shift away from attacks against individual users and towards operations targeting large enterprises, noted CNBC. But attacks like phishing and…

5 min read