The primary reason for this sudden resurgence is the general revival of the cryptocurrency market, which saw trading prices recover after a spectacular crash in late 2018.
Monero, the cryptocurrency of choice of most crypto-mining malware operations, was one of the many cryptocurrencies that were impacted by this market slump. The currency also referred to as XMR, has gone down from an exchange rate that orbited around $300 - $400 in late 2017 to a meager $40 - $50 at the end of 2018.
But as the Monero trading price recovered throughout 2018, tripling its value from $38 at the start of the year, to nearly $115 over the summer, so have malware campaigns.
This recovery in XMR trading price has resulted in a spike in the activity of Monero-based crypto-mining malware operations.
These are criminal operations during which hackers infect systems with malware that's specifically designed to secretly mine Monero behind the computer owner's back.
Starting with the end of May, the number of reports detailing crypto-mining campaigns published by cyber-security firms has exploded, with a new report published each week, and sometimes new campaigns being uncovered on a daily basis.
History of crypto-mining malware
Crypto-mining malware first became a threat in the early 2000s, when Bitcoin started to become popular. In the beginning, malware operators deployed Bitcoin-based crypto-miners, but as Bitcoin became harder to mine on regular computers, they started shifting towards many of the other altcoins.
Due to its anonymity-centric features, Monero slowly became a favorite among cybercriminal gangs. However, crypto-mining malware never became a huge thing until late 2017 and early 2018, when cryptocurrency prices skyrocketed to record levels, and when Monero reached its maximum trading value of $480.
Trading a nearly $500, Monero became just too hard to ignore by that point, and several criminal groups decided they wanted a piece. The sudden spike in Monero-based crypto-miners didn't go unnoticed at the time.
As Monero price slumped, the frequency and intensity of crypto-mining operations died down over the 2018-2019 winter. They never stopped, but they did continue to operate, on a smaller scale than what we've seen in the good ol' days of 2017 and early 2018.
But as XMR trading value recovered this year, so have these operations, which are now seeing new life.
Crypto-miners' hot summer
Below, we're going to summarize some of the reports published this summer by cyber-security firms that detailed new Monero-mining operations.
June 2019 - BlackSquid malware - A Trend Micro report details a new malware strain named BlackSquid. The malware can target both Windows and Linux servers, and also uses additional exploits to move laterally through networks, to infect as many systems as possible with its crypto-mining payload.
June 2019 - Unnamed campaign - Another Trend Micro report details another malware operation whose final goal is to deploy a Monero crypto-miner. Just like BlackSquid, this malware also relied on the EternalBlue exploit to spread through internal networks after compromising an initial point of entry.
June 2019 - AESDDoS botnet - Yet another Trend Micro report details how a botnet previously focused on infecting servers to carry out DDoS attacks had shifted towards delivering a Monero miner instead. This group specifically went after Docker servers.
June 2019 - Plurox malware - A Kaspersky report describes a new malware strain named Plurox. Targeting Windows, this malware comes with several modules for performing crypto-currency mining, in various forms.
June 2019 - LoudMiner malware - ESET researchers detail LoudMiner, a malware family that targets both macOS and Windows. According to researchers, LoudMiner uses virtualization software -- QEMU on macOS and VirtualBox on Windows -- to mine Monero on a Tiny Core Linux virtual machine.
June 2019 - ADB campaign - Trend Micro researchers detail a Monero-mining operation during which crooks scan the internet for Android devices exposing their ADB debug ports, which they then use to plant a crypto-miner on unprotected hosts.
August 2019 - Smominru botnet - A Carbon Black report [PDF] detailed changes in the activity of Smominru, one of the oldest and largest cryptocurrency mining botnets around. Besides running crypto-mining payloads, the botnet also stole credentials from infected hosts, which it later put up for sale online.
August 2019 - Norman malware - Security researchers from Varonis published a report on the new Norman crypto-miner. Targets Windows systems only.
September 2019 - Skidmap malware - A Trend Micro report detailed a new Linux malware strain named Skidmap, used to drop Monero miners on web servers. The malware's most significate feature is the use of a rootkit to persist on infected systems as much as possible. Skidmap was also of note because it targeted Debian and RHEL/CentOS systems only.
September 2019 - Panda group - The most recent report is one published yesterday by Cisco Talos, about a group named Panda. Cisco says the group is not sophisticated at all, but merely uses publicly available exploits to infect any web-based servers it can, spread laterally through local networks, and then drop a crypto-miner. According to Cisco, the Panda group has been seen targeting servers with exploits for Oracle WebLogic (CVE-2017-10271), Apache Struts 2 (CVE-2017-5638), and the ThinkPHP framework (CNVD-2018-24942). Besides a crypto-miner payload, the group has also been seen dropping the Gh0st remote access trojan (RAT) on infected hosts, possible for expanding access or stealing credentials.
Older crypto-mining botnets are diversifying
All the above reports show an obvious trend -- namely that there's been a spike in new crypto-mining operations over the summer.
However, according to Guardicore security researcher Daniel Goldberg, crypto-mining operations haven't stopped just because the Monero price took a dive. It's just that criminal groups haven't invested too much effort into creating new malware once Monero lost its value.
"Attacks still exist in high intensity, because criminals have basically automated their attack tools," Goldberg told ZDNet in an interview today today.
This automation has allowed Smominru and other older groups like Panda, Pacha, and Rocke to continue to operate through Monero's price slump.
However, as the reports above show, once the Monero price started to rise, new malware strains have also started popping up.
One could say that keeping an eye out on the Monero or Bitcoin exchange rate could be a great way of getting early warnings when crypto-mining operations ramp up. However, Goldberg sees this as a poor indicator.
"Crypto-mining is one of many ways criminals monetize access to unprotected infrastructure," the Guardicore researcher said. "If it's not crypto-mining, they'll sell access [to infected hosts to other groups], ransomware, or numerous other methods."
And this is exactly what happened with the older botnets, such as Smominru and Panda, who, as reported by Guardicore and Cisco Talos, have added credentials-dumping components in recent months.
These additional components helped crooks steal and then sell/monetize other information from infected hosts while their primary crypto-mining operations started making less money. For example, Smominru made a profit by selling credentials for internal networks or online sites that it collected from infected hosts.
But there's also good news on the horizon. Just like it once happened with USB-spreading worms or ransomware, once something becomes a hot topic on the malware scene, cyber-security firms adapt and start providing better protections.
"Cryptominers are getting detected much more easily these days," Omri Segev Moyal, CEO of cyber-security firm Profero, told ZDNet in an interview today.
"When we started our research, almost no one detected cryptominers. Now it's really hard to build a proper one that stays long enough undetected to make profits."
The world's most famous and dangerous APT (state-developed) malware