Crypto-mining malware saw new life over the summer as Monero value tripled

September 18, 2019

Malware that mines cryptocurrency has made a comeback over the summer, with an increased number of campaigns being discovered and documented by cyber-security firms.

The primary reason for this sudden resurgence is the general revival of the cryptocurrency market, which saw trading prices recover after a spectacular crash in late 2018.

Monero, the cryptocurrency of choice of most crypto-mining malware operations, was one of the many cryptocurrencies that were impacted by this market slump. The currency also referred to as XMR, has gone down from an exchange rate that orbited around $300 – $400 in late 2017 to a meager $40 – $50 at the end of 2018.

But as the Monero trading price recovered throughout 2018, tripling its value from $38 at the start of the year, to nearly $115 over the summer, so have malware campaigns.

This recovery in XMR trading price has resulted in a spike in the activity of Monero-based crypto-mining malware operations.

These are criminal operations during which hackers infect systems with malware that’s specifically designed to secretly mine Monero behind the computer owner’s back.

Starting with the end of May, the number of reports detailing crypto-mining campaigns published by cyber-security firms has exploded, with a new report published each week, and sometimes new campaigns being uncovered on a daily basis.

History of crypto-mining malware

Crypto-mining malware first became a threat in the early 2000s, when Bitcoin started to become popular. In the beginning, malware operators deployed Bitcoin-based crypto-miners, but as Bitcoin became harder to mine on regular computers, they started shifting towards many of the other altcoins.

Due to its anonymity-centric features, Monero slowly became a favorite among cybercriminal gangs. However, crypto-mining malware never became a huge thing until late 2017 and early 2018, when cryptocurrency prices skyrocketed to record levels, and when Monero reached its maximum trading value of $480.

Trading a nearly $500, Monero became just too hard to ignore by that point, and several criminal groups decided they wanted a piece. The sudden spike in Monero-based crypto-miners didn’t go unnoticed at the time.

In a feature for Bleeping Computer, a news site focused on cyber-security topics, this reporter highlighted a massive jump in Monero-based malware operations towards the end of 2017, and early 2018, just as Monero prices were bloating up.

At the time, everywhere you’d look, you’d find malware gangs trying to deploy Monero-mining malware. What was once an outlier in the malware scene had suddenly become the most common form of malware.

Malware groups/campaigns like Digmine, Hexmen, Loapi, Zealot, WaterMiner, CodeFork, Bondnet, Adylkuzz, CoinMiner, Linux.BTCMine.26, Zminer, DevilRobber, PyCryptoMiner, RubyMiner, and MassMiner, were just some of the few that were documented at the time, in the span of a few months.

As Monero price slumped, the frequency and intensity of crypto-mining operations died down over the 2018-2019 winter. They never stopped, but they did continue to operate, on a smaller scale than what we’ve seen in the good ol’ days of 2017 and early 2018.

But as XMR trading value recovered this year, so have these operations, which are now seeing new life.

Crypto-miners’ hot summer

Below, we’re going to summarize some of the reports published this summer by cyber-security firms that detailed new Monero-mining operations.

May 2019 – Rocke and Pascha groups – An Intezer Labs report described the battle between two crypto-mining operations that were fighting infect to same types of Linux-based cloud-based apps.

May 2019 – Nansh0u campaign – A Guardicore report details a Chinese-based crypto-mining group that infected over 50,000 Windows MS-SQL and phpMyAdmin servers to mine Monero.

May 2019 – RIG exploit kit – Trend Micro reported that the infamous RIG exploit kit had started to deploy a Monero miner as its final payload. The crypto-miner was aimed at Windows desktop users, rather than servers, like most Monero minining operations tend to be.

June 2019 – BlackSquid malware – A Trend Micro report details a new malware strain named BlackSquid. The malware can target both Windows and Linux servers, and also uses additional exploits to move laterally through networks, to infect as many systems as possible with its crypto-mining payload.

June 2019 – Unnamed campaign – Another Trend Micro report details another malware operation whose final goal is to deploy a Monero crypto-miner. Just like BlackSquid, this malware also relied on the EternalBlue exploit to spread through internal networks after compromising an initial point of entry.

June 2019 – AESDDoS botnet – Yet another Trend Micro report details how a botnet previously focused on infecting servers to carry out DDoS attacks had shifted towards delivering a Monero miner instead. This group specifically went after Docker servers.

June 2019 – Unnamed campaign – A Sucuri report described another crypto-mining malware operation that infected web servers and used a cronjob to persist on infected hosts.

June 2019 – Plurox malware – A Kaspersky report describes a new malware strain named Plurox. Targeting Windows, this malware comes with several modules for performing crypto-currency mining, in various forms.

June 2019 – LoudMiner malware – ESET researchers detail LoudMiner, a malware family that targets both macOS and Windows. According to researchers, LoudMiner uses virtualization software — QEMU on macOS and VirtualBox on Windows — to mine Monero on a Tiny Core Linux virtual machine.

June 2019 – ADB campaign – Trend Micro researchers detail a Monero-mining operation during which crooks scan the internet for Android devices exposing their ADB debug ports, which they then use to plant a crypto-miner on unprotected hosts.

July 2019 – WatchBog botnet – An Intezer Labs report detailed the WatchBog cryptocurrency-mining botnet,operational since late 2018, and which compromised more than 4,500 Linux machines.

August 2019 – Smominru botnet – A Carbon Black report [PDF] detailed changes in the activity of Smominru, one of the oldest and largest cryptocurrency mining botnets around. Besides running crypto-mining payloads, the botnet also stole credentials from infected hosts, which it later put up for sale online.

August 2019 – Norman malware – Security researchers from Varonis published a report on the new Norman crypto-miner. Targets Windows systems only.

September 2019 – Skidmap malware – A Trend Micro report detailed a new Linux malware strain named Skidmap, used to drop Monero miners on web servers. The malware’s most significate feature is the use of a rootkit to persist on infected systems as much as possible. Skidmap was also of note because it targeted Debian and RHEL/CentOS systems only.

September 2019 – Panda group – The most recent report is one published yesterday by Cisco Talos, about a group named Panda. Cisco says the group is not sophisticated at all, but merely uses publicly available exploits to infect any web-based servers it can, spread laterally through local networks, and then drop a crypto-miner. According to Cisco, the Panda group has been seen targeting servers with exploits for Oracle WebLogic (CVE-2017-10271), Apache Struts 2 (CVE-2017-5638), and the ThinkPHP framework (CNVD-2018-24942). Besides a crypto-miner payload, the group has also been seen dropping the Gh0st remote access trojan (RAT) on infected hosts, possible for expanding access or stealing credentials.

Older crypto-mining botnets are diversifying

All the above reports show an obvious trend — namely that there’s been a spike in new crypto-mining operations over the summer.

However, according to Guardicore security researcher Daniel Goldberg, crypto-mining operations haven’t stopped just because the Monero price took a dive. It’s just that criminal groups haven’t invested too much effort into creating new malware once Monero lost its value.

Some malware groups continued to operate, such as the Smominru botnet, about which Guardicore published today additional research, along with scripts to detect the malware’s residues on infected machines.

“Attacks still exist in high intensity, because criminals have basically automated their attack tools,” Goldberg told ZDNet in an interview today today.

This automation has allowed Smominru and other older groups like Panda, Pacha, and Rocke to continue to operate through Monero’s price slump.

However, as the reports above show, once the Monero price started to rise, new malware strains have also started popping up.

One could say that keeping an eye out on the Monero or Bitcoin exchange rate could be a great way of getting early warnings when crypto-mining operations ramp up. However, Goldberg sees this as a poor indicator.

“Crypto-mining is one of many ways criminals monetize access to unprotected infrastructure,” the Guardicore researcher said. “If it’s not crypto-mining, they’ll sell access [to infected hosts to other groups], ransomware, or numerous other methods.”

And this is exactly what happened with the older botnets, such as Smominru and Panda, who, as reported by Guardicore and Cisco Talos, have added credentials-dumping components in recent months.

These additional components helped crooks steal and then sell/monetize other information from infected hosts while their primary crypto-mining operations started making less money. For example, Smominru made a profit by selling credentials for internal networks or online sites that it collected from infected hosts.

But there’s also good news on the horizon. Just like it once happened with USB-spreading worms or ransomware, once something becomes a hot topic on the malware scene, cyber-security firms adapt and start providing better protections.

“Cryptominers are getting detected much more easily these days,” Omri Segev Moyal, CEO of cyber-security firm Profero, told ZDNet in an interview today.

“When we started our research, almost no one detected cryptominers. Now it’s really hard to build a proper one that stays long enough undetected to make profits.”