Increased use of malware functions in crypto miners


Illegal use of trojan and malware functionalities in corporate crypto miners. Besides server systems, clients can also be compromised via browsers.


Today there are about 1,500 different cryptocurrencies [1]. Since many prices have exploded since the end of last year, the current market capitalization of the cryptocurrencies has reached over 450 billion dollars. In 2017, many hackers became interested in this, especially since most cryptocurrencies can be used anonymously.

Using ransomware, it was a trend in 2017 to hold entire client and server landscapes in hostage and to have the ransom transferred anonymously in Bitcoin. However, this was not only expensive for the attackers because they had to develop and adapt the ransomware over and over again - With few exceptions, the payment of the ransom was very low for the effort required, even though there was enormous damage worldwide (For WannaCry alone, the estimates range from several hundred million to four billion dollars).

In order to obtain money from companies, the hackers have adapted their methods. Instead of encrypting the infected system and thus making themselves directly visible, attackers are currently taking a quieter approach by abusing the systems to mine cryptocurrencies. Although a single system is no longer profitable for this purpose, the hackers don't have to pay for the initial hardware or the energy and can easily use thousands of systems. In this way, hackers can earn up to millions of dollars in a short period of time due to enormous losses in value in companies, greater hardware usage, high energy consumption and lower productivity.

There are currently two popular methods of crypto-miners: Mining by malware on IT systems and integration via browser. Particularly profitable are server farms or cloud landscapes, where crypto-miners have trojan abilities: There are some well-known cases where for example the Amazon Cloud (AWS) of large companies has been illegally used for Bitcoin mining which has caused enormous damage - because cloud services are usually invoiced according to consumed resources. In order to also get many other systems to mine, browser usage has become profitable. In this case, either a crypto miner is integrated by JavaScript directly on the own, usually questionable, website or this is distributed similarly to the advertising networks. Even malicious browser plug-ins are already in use here, which for example also exchange the wallet for their own ones. The distribution via known vulnerabilities such as Eternal Blue in open SMB releases is also used [2]. A further trend is even to integrate a crypto miner via MITM, e. g. in WiFi cafes [3].

In order to protect yourself, block lists of known miners and malicious websites can be used. Recently, however, a new crypto miner has appeared [4] that brings even more functionality from classic malware. For example, so-called DGA domains (Domain Generation Algorithm) are used, which only create the domains to be used at runtime using a certain method that is otherwise known only by the attacker. Classical block lists become useless and it also makes it more difficult for law enforcement agencies to confiscate domains in advance. Since crypto miners are increasingly using more and more functionalities of classic malware, modern protection systems have to be used here as well.

Affected Systems:

  • Client and server systems as well as cloud landscapes
  • Browser with active content (like JavaScript)


Users can watch out for unusual behavior of their clients. Many crypto miners use almost the entire CPU capacity, so other applications slow down considerably. Furthermore, the deactivation of active content can be considered. Server administrators should use monitoring tools to permanently monitor CPU utilization and take a closer look at large deviations. Host-based recognition should also be used for highly overloaded servers or cloud systems.

Another strong protection for companies is provided by block lists for crypto miners, which are imported centrally into the firewall. In this case, however, it must be ensured that these are constantly updated. Additionally, a modern protection system should be considered, which contains besides the current block lists also a recognition of DGA domains.

Detection with the finally safe Advanced Security Analytics Platform:

With the solution, users can verify whether there were or are accesses to the infrastructures of common crypto miners and SMB shares. These information can be found depending on the modules used:

  • If you have subscribed to the management report, we have already analyzed and listed possible accesses to your IT systems via the SMB protocol and accesses from obsolete systems such as Windows XP.
  • If you receive a technical report every week, the SMB accesses can be found in the connection overview and the obsolete systems are listed in the operating systems.
  • If you have activated the Network Compliance Verifier, you can locate the SMB accesses and obsolete systems in the web portal and directly identify the affected IP addresses of your clients.
  • In the Expert System, you can use well-known SMB ports and obsolete operating systems to see whether you have such network traffic.
  • If you have activated the ATD sensor, you can find specific accesses to crypto miner infrastructures in the web portal and directly identify the affected IP addresses of your clients or servers. In addition to current block lists, the system also examines the resolved domains and HTTP accesses to DGA domains.

Sources / further information:


Go back