XMRig: Father Zeus of Cryptocurrency Mining Malware?

Cryptocurrency is exploding all over the world, and so are attacks involving cryptocoins. From bitcoin to Ethereum and Monero, cybercriminals are stealing coins via phishing, malware and exchange platform compromises, causing tremendous losses to both consumers and businesses in the sector.

High-profile data breaches and theft are responsible for the majority of losses to organizations in the cryptocurrency sector, but there is another, more insidious threat that drains cryptocurrency at a slow and steady rate: malicious crypto-mining, also known as cryptojacking.

This scheme exploits end users’ CPU/GPU processing power through compromised websites, devices and servers. This type of malware is wielded by operators aiming to make money on the backs of their victims. Aside from the obvious performance degradation victims will experience, mining can cause machines to consume tons of electricity and overheat to the point of damage, causing unexpected data loss that may be hard to recover. In one case in Russia, this overheating resulted in a full-out blaze.

Among the many codes that already plague users and organizations with illicit crypto-mining, it appears that a precursor has emerged: a code base known as XMRig that spawns new offspring without having intended to.

The Code Reuse Problem

The malware world can spawn millions of different strains a year that infect users with codes that are the same or very similar. Code reuse often happens because malware developers won’t reinvent the wheel if they don’t have to.

In the banking Trojan world, the most infamous example is the Zeus v2 source code, which was leaked in 2011 and has since been used countless times, either as-is or in variations adapted to different targets or geographies. Some examples of Zeus codes are Zeus Panda and Sphinx, but the same DNA also lives in Atmos and Citadel. Parts of it, particularly the injection mechanism, are featured in many other banking Trojans.

A similar code leak scenario and subsequent reuse happened in the mobile space with the leak of the GM Bot code in 2016. That source code spurred the rise of many other mobile Trojans, including Bankosy, Mazar and SlemBunk, to name a few. The mobile malware arena saw a second precursor emerge when another source code, BankBot, was also leaked in early 2017, giving rise to additional foes.

Looking at the cryptojacking arena, which started showing increased activity in mid-2017, it’s easy to notice that the one name that keeps repeating itself is XMRig. Although not inherently malicious, this code’s unrestricted availability makes it popular among malicious actors who adapt it for the illicit mining of Monero cryptocurrency.

Why Monero?

Monero, which means “coin” in Esperanto, is a decentralized cryptocurrency that grew from a fork in the ByteCoin blockchain. The project itself is open source and crowdfunded.

Unlike earlier cryptocoins, Monero, which started in 2014, boasts easier mining and untraceable transactions and has seen its value rise over time. The proof of work algorithm, CryptoNight, favors computer or server CPUs, in contrast to bitcoin miners, which require relatively more expensive GPU hardware for mining coins.

These features attract new, legitimate miners, but they are just as attractive to cybercriminals looking to make money without having to invest much of their own resources. They resort to using malware or simply reworking XMRig to mine Monero.

XMRig: The Choice of Malicious Monero Miners

The Monero Project does not endorse any particular tool, software or hardware for miners. While there are at least three other codes available, the popular choice among cybercriminals appears to be the open source XMRig code.

According to existing research on the malicious use of XMRig, black-hat developers have hardly applied any changes to the original code. Past modifications show some changes to hardcoded command-line arguments that contain the attacker’s wallet address and mining pool URL, plus changes to a few arguments that kill all previously running instances of XMRig to ensure no one else benefits from the same hardware. Changes of this scope could take mere minutes to perform.

Since it is an open source project, XMRig usually sends a donation of 5 percent of the revenue gained from mined coins to the code author’s wallet address. Malicious iterations of XMRig remove that snippet and the attackers collect 100 percent of the spoils.

Some examples of malware names that were spawned from the XMRig code and showed up in recent attacks are RubyMiner and WaterMiner.

In terms of the attack scale of miners based on XMrig, the numbers are surprising. In January 2018, researchers identified 250 unique Windows-based executables used on one XMRig-based campaign alone. The overall infection operation was padded with its own download zone from a cloud storage platform, used XMRig proxy services to hide the destination mining pool and even connected the campaign with a cloud-hosted cryptocurrency mining marketplace that connects sellers of hashing power with buyers to maximize profits for the attacker.

The Vulnerable Resource Predicament

Cryptojacking can happen on various types of devices, and millions of users have been infected in recent attacks. With malware, the goal is to successfully infect as many endpoints as possible, and X-Force assessment of recent attacks shows that threat actors will attempt to target anything that can lend them free computing power. Aside from the more common endpoint or server, cryptojacking has also been observed on:

Although it may seem like any device will do, the most attractive miners are servers, which have more power than the aforementioned devices, 24/7 uptime and connectivity to a reliable power source. Server CPU/GPUs are a fit for Monero mining, which means that XMRig-based malware could enslave them to continuously mine for coins.

Server vulnerabilities exist because many organizations still run outdated systems and assets that are past their end of life, resulting in easy-to-find exploits that compromise and infect them. Worse yet, our researchers believe that older servers that have not been patched for a while are also unlikely to be patched in the future, leaving them susceptible to repeated exploitation and infection. These attacks are reaching organizations in the wild, and a recent report from IBM X-Force noted that network attacks featuring cryptocurrency CPU miners have grown sixfold.

The industrial sector is known to run outdated operating systems and software, leaving it particularly vulnerable. Many times, the internal and operational networks in critical infrastructure can open them up to the increased risk. While data loss would be an issue to any organization, it can potentially result in life-threatening situations at an industrial plant.

Seek and Destroy

The world of cryptojacking malware is undergoing rapid evolution, and although permutations of XMRig will likely continue to occur, there is also a threat that new codes will appear this year. Mitigating the risk from known threats should be an integral part of your cyber hygiene and security management practices. While malware hunting is often regarded as a whack-a-mole endeavor, preventing XMRig-based malcode is easier because of its prevalence in the wild.

Since XMRig is open source and keeps getting reused in attacks, security teams should look into controls that deliver blanket protection and eliminate different iterations of this code. For those running older servers and operating systems in which risk of infection is higher, security best practices call for minimizing exposure, implementing compensating controls and planning for a prompt upgrade to dampen risks.

Interested in emerging security threats? Read the latest IBM X-Force Research

Limor Kessem

Executive Security Advisor, IBM

Limor Kessem is one of the top cyber intelligence experts at IBM Security. She is a seasoned security advocate, public...