What is Cryptocurrency Mining Malware?

Cryptocurrency mining malware is typically a stealthy malware that farms the resources on a system (computers, smartphones, and other electronic devices connected to the internet) to generate revenue for the cyber criminals controlling it. 

Instead of using video game consoles or graphics card farms, these particular cryptominers are using the computers and servers of the people around them for their processing power – without permission. This type of malware mines cryptocurrencies on the systems of their targets or even steals cryptocurrency from other targets, using its resources in such a way that the owner wouldn’t know.

This process, referred to as cryptojacking, is detrimental to the utilized systems, creating negative side effects such as: 

  • System slow down, 
  • Increased processor usage, 
  • Overheating computers 
  • Higher than normal power bills. 

The cryptominer utilizes all of these additional resources to get an edge in obtaining more cryptocurrency (especially as blockchains become more complex). Without all of the additional resources used to mine, the process would take much longer, and time is of the essence since the first miner to solve the blockchain claims the rewards. As long as the cryptominer gets what they want, they don’t care about the damage done to the network of computers they have cryptojacked.

Browser-based Cryptocurrency Mining

There are many different types of cryptocurrency available, but with the introduction of a new type, Monero, cyber criminals have started browser-based cryptocurrency mining. Because Monero is newer, it is easier to mine than the original Bitcoin, which now requires a significant amount of processing power to retrieve. 

Browser-based cryptocurrency mining was originally used for Bitcoin as early as 2011, but faded away as the Bitcoin blockchains became so complex that more processing power was needed. Due to interest in the newer Monero, this method has resurfaced as a widespread issue. When you combine the explosive growth in cryptocurrency with the launch in 2017 of browser-based cryptocurrency mining services like CoinHive and Crypto-Loot, it is easy to see why there are so many cryptominers relying on this method.

Binary Server-level Cryptominer

Unlike the browser-based JavaScript cryptominers that have been injected into a web page, a binary server-level cryptominer abuses server resources without affecting the computers or mobile devices of website visitors. Servers are more powerful than user devices, so they can mine coins faster.

Cyber criminals secretly use the power of infected systems to mine for cryptocurrency, which is sent to the cyber criminal’s cryptocurrency wallet. The more systems that are infected, the more profits the cyber criminals can make.

Cryptocurrency Mining Malware

There is a plethora of cryptocurrency mining software out there, one of the most popular ones was Coinhive. Coinhive was a software service that packaged all the tools needed to easily enable website owners for stealth scripting. It allowed website owners to install coin miners with relative ease using a simple snippet of JavaScript. This code worked in the background of website visitor’s browsers, utilizing any excess CPU power. These cryptomining tools served as an alternative monetization method, but hackers almost immediately abused the code. Once they installed it on compromised websites, they forced visitors into cryptocurrency mining while visiting the site—in most cases without any initial indication to the visitor that the mining process had commenced. When this software is utilized to mine cryptocurrency using the website’s host or visitor’s system resources without their consent, it is considered a form of cryptocurrency mining malware.

The malware used in these cryptominer infections is cleverly modified to make it more difficult for webmasters to identify and cleanup. Attacks often pull payloads from a remote server, making it easy for attackers to rapidly modify the injected content on compromised websites.

Note:  Coinhive is no longer available and  was shut down in March, 2019.

Another well known software service in the world of cryptomining is Crypto-Loot, which proclaims itself the Coinhive alternative. Crypto-Loot is more or less the same idea, but it focuses on a specific type of blockchain called uPlexa and therefore is not as popular. The website for Crypto-Loot claims that their system is better at being undetected. Once integrated into a website or webapp, it provides an option to coerce visitors to opt-in to the cryptoming, instead of receiving forced pop-up ads. The implementation is up to the site owner, so the system can be abused with relative ease.

The Price of Cryptocurrencies and Malware Infections 

As the price of Monero and other cryptocurrencies rose, Sucuri saw an influx in the number of cyber criminals looking for opportunities to monetize on their growing popularity. The price of Monero went up in 2017 and hit its peak in January of the following year. In that year alone, our research team identified over 7,000 websites compromised by bad actors to mine cryptocurrencies. Since its peak, the value of cryptocurrency has decreased significantly after several banks made an official statement to ban support for this type of currency. This is one of the contributing factors as to why this type of malware is no longer as popular.

What are Some Cryptocurrency Mining Malware Infection Methods?

Just like any malicious software, cryptocurrency mining malware can come in many forms. It can infect a user’s device through several means, such as clicking a malicious link, visiting a compromised website, downloading an infected application, downloading a malicious file, or installing an infected web browser extension. Some spread and infect other systems on the same network.

Basically, the cryptominers are different only in the way they affect website visitors. From the webmasters’ point of view, it’s not different from any other malware. So all generic techniques are valid.

While there are still some ongoing server-side binary cryptominers in the wild, cryptomining malware has been on a decline for the last year

How Do You Prevent a System or Website From Being Infected by Cryptocurrency Mining Malware?

It’s important to be proactive and take steps to help reduce the risk of infection. While no one can promise that the risk will ever be zero, there are many things you can do to protect your system and/or your website.

Monitor your Website

Prevention comes in the form of “constant monitoring”. If your system or website starts to feel sluggish, it is possible that one or both is infected. Take a quick glance at your system resource usage as you navigate through your website.

Verify if your CPU usage is high when browsing your monitored site. 

User Tip: This test is only valid if no other sites are open, as they could contribute to the CPU usage too.

It is important to run a virus scan on your system. Most antivirus softwares out there are pretty good at detecting these types of malware. 

Guard your Browsing

Most antivirus software would be able to detect browser-based cryptomining malware. Apart from this, there are other methods as well. It would be considered an advanced method of prevention to implement, but certain script blocking browser extensions such as NoScript or ScriptSafe would do a good job of securing your browsing from browser-based cryptomining malware.

How Sucuri Can Help

We have written an article to explain how to detect and remove cryptocurrency mining malware from your web host server.

Our incident response team addresses all types of website infections. There is no required installation or application changes. The team adds and configures all sites via the Sucuri dashboard. To enable the server-side scanning, a PHP agent is required at the root of the main domain.

Overall, Cryptomining malware is not an unsolvable problem. It can be prevented and remediated. Sucuri is dedicated to researching and educating our customers on the new frontier of crypto malware. Our security analysts are available for consultation and restoration if your website or webapp becomes impacted by this malware.