Cryptojacking: Has cryptocurrency-mining malware already reached its peak?

Newly released figures suggest coinmining attacks have started to decline, as some hackers grow impatient with low returns on their investment, which could lead to a rise in more dangerous attacks.
Written by Danny Palmer, Senior Writer

Cryptojacking malware is already losing its appeal to cyber criminals as some users of the illicit cryptocurrency-mining software begin to realise that it isn't as simple a means of making a quick buck as they first thought.

Cryptocurrency-mining malware is deployed to infect machines including PCs, servers, smartphones and even Internet of Things connected devices, in order to secretly use their processing power to mine for cryptocurrency.

The stealthy nature of cryptojacking makes it highly appealing for cyber criminals, who can maintain a presence on an infected machine over a long period of time without much risk, since most users won't be suspicious of their computer running a little slower or their fans working harder.

Such is the popularity of cryptocurrency mining malware, it has overtaken ransomware as a means of cyber criminals turning a profit.

However, a little over eight months since the boom in cryptojacking malware began, this particular form of cyber crime appears to be losing its appeal, because despite remaining one of the most common forms of malware, detections have sharply declined in recent months.

Figures in the Cybercrime tactics and techniques: Q2 2018report by Malwarebytes suggest that detections of coinminers on consumer desktop PCs peaked at five million in March, but dropped to around 1.5 million in June.

The pattern is similar to detections of coinmining malware on business desktop PCs -- 100,000 detections of cryptojacking malware in January declined to around 30,000 by June.

SEE: Cryptocurrency-mining malware: Why it is such a menace and where it's going next

One reason cryptocurrency mining malware is being dumped by some criminals is because it isn't representing a good return on investment. While it comes with the advantage of being extremely stealthy, attackers require a large network of infected machines and the patience to wait for months in order to generate a good profit.

"Simply compromising a few hundred sites with a web miner alone is not going to yield very much, since those hacked sites typically have low traffic," Jérôme Segura, security researcher at Malwarebytes told ZDNet.

According to the report, a decline in the value of Monero -- the currency preferred by cryptojackers thanks to how it can be mined on almost any connected device as well as the privacy it offers -- is partly responsible for the declining use of this malware. Like Bitcoin, Monero surged in value late last year, leading to the rush towards coinmining.

But in the months since, deploying cryptojacking malware has become more difficult, as anti-virus software has become more adept at detecting the threat.

"For a short time, criminals saw a way to profit from malicious cryptomining that was unexpected and therefore ripe for abuse. Now that the technique is known and fought against, this poses new challenges that make them re-evaluate their operations," said Segura.

SEE: What is malware? Everything you need to know about viruses, trojans and malicious software

One danger which could emerge from the coinminer slowdown is that attackers could move towards other, more damaging forms of malware. Ransomware has remained popular during 2018 and the decline of cryptojacking could see some hackers return to demanding payments in return for decrypting files.

Researchers point to a drop in coinmining being particularly bad news when it comes to one threat -- the Vools backdoor.

Currently, Vools is mainly used to deliver miners and its spread can be aided by EternalBlue -- the SMB vulnerability behind the WannaCry ransomware attack -- but researchers warn that the decline of cryptojacking means that more malicious threats could be deployed using this backdoor.

"The primary fear of Vools' capabilities is not due to its mining component or even its use of EternalBlue, but the additional threats that this malware can and will install on the system once cryptomining goes out of fashion," said the Malwarebytes report.

"Based on plummeting cryptocurrency values over the last few months, that time is going to come sooner than later."

However, in much the same fashion that the rise of cryptocurrency mining didn't kill off malware, should cryptojacking now continue to decline, it isn't going to disappear completely.

"The interest in cryptocurrencies is still very strong and it is one of the reasons why malicious cryptomining is going to remain of the top threats for some time," said Segura.


Editorial standards