Brand
InsightsMore News

Check Point expert digs into the future of cryptomining botnets

Check Point expert digs into the future of cryptomining botnets

Gadi Naveh, Threat Prevention Evangelist, Check Point digs into the future of cryptomining botnets

By Gadi Naveh, Threat Prevention Evangelist, Check Point

The blockchain sector is now bursting with innovation, with developers looking for new, pragmatic ways to use this secure distributed ledger technology across a range of applications. And as always, cybercriminals are among the earliest adopters, and unfortunately helping to push forward public awareness of the technology.

Cryptomining malware is now by far the most common event we are seeing attacking our user base, and this is only the beginning. Since December 2017, the Coinhive cryptominer, which performs online mining of the Monero cryptocurrency, has been the most common type of malware seen globally, impacting nearly 20% of organisations worldwide over the past four months. What’s more, volumes of cryptomining attacks are doubling and re-doubling month by month.

So what can we expect over the next couple of years?  Here, I will try to predict the future of cryptomining botnets by analysing the evolution of cyberattacks which has led to the current popularity of mining exploits. Combining this with a look at the current decentralised computing projects supported by blockchain technology, I will also suggest the direction in which these attacks are heading and why.

I will first explain the changes in cyberattacks that preceded cryptomining malware, how they evolved to the present-day threat, and highlight cryptoprojects that will lead to the next phases of this trend.

Mining money on every attack

An attacker is always aware of the amount of revenue their malware can make and will quickly adapt their technique to deliver the best possible ROI. Most attacks are linked together in a funnel, in which each step needs to pay the previous level for the ‘leads’ it provides.

The usual funnel will be:

Targets > delivery > infection > monetisation

Each step has a success ratio, such as the percentage of spam emails that bypass spam filters, or the percentage of successful exploits (the infection rate) or the rate of click-through on infected files.

The monetisation step has its success rate as well. To earn from an infection, the identity of the target needs to match your attack profile. Think of phishing sites or banking trojans, the infected user needs to be doing online banking with your supported list of banks which reduces the number of infected users you can cash-in on.

The first malware evolution to use cryptocoins for the revenue stream was ransomware. Ransomware doesn’t need to adapt to a specific bank. Every target is vulnerable to ransomware, as every machine and user has files of value, which the user will be incentivised to pay a ransom in order to retrieve.

Unfortunately for the attacker, the ransom pay-out rate is under 1% of all infections. This was witnessed in the WannaCry campaign, and in our analysis of the Cerber Ransomware–as-a-service campaign.

Cryptomining solves this problem of low returns (and of course relatively high-risk) as now there is no need to steal a user’s online banking balance or extort them into paying up.  Every mining bot added to your network of miners immediately shares its calculation power with a mining pool and generates revenue for the attacker – in many cases without the user even being aware that they are being exploited.

Even better, this technique can also operate on web browsers using cryptojacking, JavaScript-based miners on site viewers, so the attacker doesn’t even need to infect a user’s machine directly – they earn a profit every time someone visits the infected website.

Understanding the ‘cryptomind’

About every 10 minutes an amount of 12.5 bitcoin (~120,000$!) is mined and added to the blockchain ledger to the winning miner’s wallet. This shapes the economy behind the mining attack. The miner which claims this reward is the one that has the proof of work that they solved the current block and this is then broadcast to all fellow miners to continue with mining the next block.

The cost of electricity sets the cost for normal cryptomining operations and of course this changes when you use mining malware as the attacker doesn’t pay the electricity bill. For these malicious actors, the costs are different. They are set by the price of getting an infected machine, divided by the number of CPU cycles that can be performed on it before the infection is removed.

The current evolutionary stage of mining malware is quick, dirty and very noisy. Each infection communicates rapidly with the CDC as it needs to be updated with the current block calculations which it needs to make.

This was the case with the first wave of ransomware attacks, where there was a need for a CNC connection for creating keys and each attack was individual. Ransomware quickly adapted to be more successful and bypass this limitation.

The first evolution was that ransomware came with a pre-infection encryption key, so there was no more need for a live communication to a command and control centre. The next wave was the SamSam campaign type (which recently caused major problems in Atlanta, Georgia). SamSam operators first infected a bridgehead in an organisation and then moved laterally inside the network and shut it down once it got enough machines. Extortion of this type is much more destructive and more likely to result in a ransom being paid – and similar tactics will be adopted by developers of cryptominers.

The future of mining malware

As bitcoin becomes a mainstream payment technology, there will be more roadmap items in development for the blockchain technology. Vitalik Buterin, the name behind Ethereum, ignites ideas about his decentralised app platform to allow different use cases for apps over blockchain. Vitalik also refers to BitTorrent as the first decentralised application. Similarly to BitTorrent, a current project named Sia develops a decentralised storage platform and creates a cloud data storage marketplace using the Siacoin blockchain.

This will allow attackers to monetize not just CPU usage to mine cryptocurrency, but also from idle storage on the attacked servers, or even worse, overwriting existing data by Sia storage. The Golem project ‘creates a decentralised sharing economy of computing power and supplies software developers with a flexible, reliable and cheap source of computing power’ according to the project site. This aim will allow sharing of infected machines’ computing power to monetise not by mining a cryptocoin directly, but rather by selling resources that enable others to mine currency.

Another ‘innovation’ from criminals has already been witnessed in the wild where, instead of mining cryptocurrency, cybercriminals are breaking into wallets. In his talk series in DefCon, Ryan Castellucci mentions a test he did with baiting attackers by transmitting small bitcoin transactions with weak ‘brainwallet’ produced keys. These keys are created from a passphrase that a human can remember but are much less secure against brute force attacks, or guessing the passphrase.

Castellucci reports that such transactions were hijacked instantly when using random five-character passphrases. Such efforts by cybercriminals can lead to massive botnets moving into the field of key-breaking and utilising mass computing resources for stealing funds directly from the wallets of those that have already mined or bought them, instead of going to the trouble of mining the currency themselves. It seems digital wallets are just as vulnerable as their physical equivalents.

In conclusion, cybercriminals have yet again been quick to innovate in the use of emerging technologies. We expect this wave of mining malware to keep growing and be a major source of innovation and revenue for attackers in the coming years – and a growing problem that the security industry needs to address.