Cryptomining activities that hijack victims' computer power to mine for cryptocurrency are skyrocketing, as cybercriminals find it to be one of the most profitable low-key attacks on the Web today. It has even pushed ahead of ransomware as cybercriminals' favorite means of raking in cash.
While cryptomining malware may not be calibrated specifically to steal data, it should remain on the radar of enterprise defenders. Campaigns carried out by these malicious tools do real damage to computing equipment and siphon off vast amounts of electricity, never mind the fact that their infections are the perfect foothold to carry out other kinds of devastating lateral attacks.
Here are some of the most prevalent and powerful cryptomining malware families active today.
One of the most prevalent cryptomining viruses online, CoinHive is an in-browswer mining script that has been used in a variety of dastardly attacks. It recently made waves with a campaign found to have targeted hundreds of thousands of MikroTik routers favored by ISPs and large networks, using them as a vector to inject CoinHive into all of the pages served by infected routers.
A versatile and well-known cryptomining family, XMRig is open-source software that has been likened to what Zeus was for banking Trojans because its code is reused so often in new, devious variations. For example, many popular exploit kits and Trojans, such as Ramnit and Trickbot, tend to use XMRig as a component to a more fully fleshed-out piece of malware. It's one prong of a Swiss army knife full of attack possibilities.
Among those XMRig variations, CroniX is a new, stealthy fork that takes advantage of a new vulnerability to devastating effect. The most recent campaign using CroniX calibrated it to exploit the latest Apache Struts 2 critical vulnerability. Researchers from F5 Labs dubbed this variation "CroniX" for its use of cron for persistence and Xhide for launching executables with fake process names.
First discovered and described to the security community by independent researcher James Quinn earlier this summer, ZombieBoy is a crypto-worm that researchers believe cropped up out of China. It chains together attacks on multiple vulnerabilities to compromise corporate networks, uses DoublePulsar and EternalBlue to make backdoors, and has several anti-detection capabilities built into it.
Powerful data center machines and other corporate systems are a juicy target for cryptominers, as they've typically got more compute firepower to raid. So security pros shouldn't be so surprised by the PowerGhost findings this summer by Kaspersky researchers. This fileless malware specifically targets corporate networks. Not only is this a very sneaky attack, but variations have been found that can be utilized to also carry out distributed denial-of-service (DDoS) attacks.
In a similar vein, the RedisWannaMine attack earlier this year was discovered to have been targeting unpatched Redis, Windows Server, and Apache SOLR servers with the installation of the fileless coin miner malware. Like several of the cryptojacking campaigns described here, this one uses a number of chained attacks, including EternalBlue exploits, to achieve infection.
Mostly targeting victims in Asian countries, the Underminer exploit kit is making waves with its advanced evasion techniques. The specific malware payload it delivers is called Hidden Mellifera, which researchers say had already knee-capped up to half a million systems before Underminer started serving it up, and it is typically delivered alongside a bootkit. When researchers with Trend Micro first detailed Underminer, the kit was specifically targeting Flash vulnerabilities and using fileless delivery to get its first foothold on systems.
An advanced cryptomining worm that cobbles together a number of exploits and hacking tools to achieve its objective, MassMiner uses a version of the MassScan tool for reconnaissance, which gives it the power to scan the Internet in less than six minutes. It specifically targets Web servers for mining operations and utilizes a "classic Gh0st backdoor" to run command-and-control communications with the bad guys pulling the strings, according to researchers with AlienVault.