Increased use of malware functions in crypto miners
Illegal use of trojan and malware functionalities in corporate crypto miners. Besides server systems, clients can also be compromised via browsers.
Today there are about 1,500 different cryptocurrencies . Since many prices have exploded since the end of last year, the current market capitalization of the cryptocurrencies has reached over 450 billion dollars. In 2017, many hackers became interested in this, especially since most cryptocurrencies can be used anonymously.
Using ransomware, it was a trend in 2017 to hold entire client and server landscapes in hostage and to have the ransom transferred anonymously in Bitcoin. However, this was not only expensive for the attackers because they had to develop and adapt the ransomware over and over again - With few exceptions, the payment of the ransom was very low for the effort required, even though there was enormous damage worldwide (For WannaCry alone, the estimates range from several hundred million to four billion dollars).
In order to obtain money from companies, the hackers have adapted their methods. Instead of encrypting the infected system and thus making themselves directly visible, attackers are currently taking a quieter approach by abusing the systems to mine cryptocurrencies. Although a single system is no longer profitable for this purpose, the hackers don't have to pay for the initial hardware or the energy and can easily use thousands of systems. In this way, hackers can earn up to millions of dollars in a short period of time due to enormous losses in value in companies, greater hardware usage, high energy consumption and lower productivity.
In order to protect yourself, block lists of known miners and malicious websites can be used. Recently, however, a new crypto miner has appeared  that brings even more functionality from classic malware. For example, so-called DGA domains (Domain Generation Algorithm) are used, which only create the domains to be used at runtime using a certain method that is otherwise known only by the attacker. Classical block lists become useless and it also makes it more difficult for law enforcement agencies to confiscate domains in advance. Since crypto miners are increasingly using more and more functionalities of classic malware, modern protection systems have to be used here as well.
- Client and server systems as well as cloud landscapes
Users can watch out for unusual behavior of their clients. Many crypto miners use almost the entire CPU capacity, so other applications slow down considerably. Furthermore, the deactivation of active content can be considered. Server administrators should use monitoring tools to permanently monitor CPU utilization and take a closer look at large deviations. Host-based recognition should also be used for highly overloaded servers or cloud systems.
Another strong protection for companies is provided by block lists for crypto miners, which are imported centrally into the firewall. In this case, however, it must be ensured that these are constantly updated. Additionally, a modern protection system should be considered, which contains besides the current block lists also a recognition of DGA domains.
Detection with the finally safe Advanced Security Analytics Platform:
With the solution, users can verify whether there were or are accesses to the infrastructures of common crypto miners and SMB shares. These information can be found depending on the modules used:
- If you have subscribed to the management report, we have already analyzed and listed possible accesses to your IT systems via the SMB protocol and accesses from obsolete systems such as Windows XP.
- If you receive a technical report every week, the SMB accesses can be found in the connection overview and the obsolete systems are listed in the operating systems.
- If you have activated the Network Compliance Verifier, you can locate the SMB accesses and obsolete systems in the web portal and directly identify the affected IP addresses of your clients.
- In the Expert System, you can use well-known SMB ports and obsolete operating systems to see whether you have such network traffic.
- If you have activated the ATD sensor, you can find specific accesses to crypto miner infrastructures in the web portal and directly identify the affected IP addresses of your clients or servers. In addition to current block lists, the system also examines the resolved domains and HTTP accesses to DGA domains.
Sources / further information:
- Market capitalization of cryptocurrencies :
- Distribution of crypto miners via SMB :
- Crypto miner in cafes via WiFi :
- DGA usage with crypto miners :