Cryptocurrency mining malware now as lucrative as ransomware for hackers

Attack techniques usually reserved for advanced campaigns have helped a cybercriminal scheme exploit hacked PCs for a big payday.
Written by Danny Palmer, Senior Writer

A newly uncovered cybercriminal cryptocurrency mining malware operation which borrows infection techniques from advanced hacking campaigns has earned those behind it behind it millions of dollars thanks to an army of thousands of hijacked computers.

Cryptocurrency mining has become a popular means for cyber crooks to earn money. The attacks are successful because the mining malware remains hidden while it uses the infected PC's processor to carry out its task. While increased cooling fan activity might be noticeable in some instances, the average user isn't going to think about it as much as a concern, let alone make the link to being infected with malware.

A campaign by a a group of unnamed 'sophisticated' threat actors is potentially one of the most lucrative cryptocurrency mining operations discovered to date, with analysis by security company Kaspersky Lab suggesting this campaign made the cyber criminals behind it millions of dollars in the second half of 2017.

One of the reasons the cryptocurrency mining operation has proved to be so lucrative for one of the most successful groups observed is because the malware is deployed using techniques more usually associated with sophisticated and state-backed hackers.

In this instance, the cryptocurrency mining malware is being distributed with the aid of process-hollowing - a technique which lets the malware unmap the legitimate code of processes and overwrite them with malicious code.

Victims of this campaign are lured into downloading legitimate-looking software which has instructions to download the miner hidden inside. As the process initially looks like a legitimate form of software, it isn't detected by anti-virus products.

See also: What is malware? Everything you need to know about viruses, trojans and malicious software

Once the dropper software has been installed, a Windows installer 'msiexec' is run, and it downloads and executes malicious modules from a remote server which carry out the process-hollowing, allowing the attackers to alter the code with the instructions to carryout mining for cryptocurrency.

In addition to all of this, to make sure the installation of cryptocurrency mining malware is completed, the entire Windows system will reboot if the victim tries to kill the process, making it more difficult for security products to pick up.

Through six months of mining on a network of infected machines, attackers earned themselves millions of dollars, Kaspersky Lab has claimed. The security company says at least one criminal group uses the analysed wallet and its possible that several actors might have access to it.

The payoff of particular cryptocurrency mining scheme marks a significant point, according to Kaspersky Lab, as the figure is comparable to some of the most successful ransomware schemes of 2017.

However, instances of large-scale, highly lucrative ransomware campaigns have - excluding some high-profile instances - have declined at the same time as cryptocurrency mining malware has risen, indicating attackers are shifting from one illicit money making scheme to another.

"Cyber criminal groups are actively developing their methods and have already started to use more sophisticated techniques to spread mining software. We have already seen such an evolution - ransomware hackers were using the same tricks when they were on the rise," said Anton Ivanov, lead malware analyst at Kaspersky Lab.

Figures from Kaspersky Lab suggest that 2.7 million users were attacked by malicious miners in 2017, marking a 50 percent increase when compared with the previous year.


Editorial standards