By Jason Mueller, Senior Sales Engineer at CounterTack
A seemingly growing trend as of late is the rise (and perceived fall) of Bitcoin. Given how extremely volatile cryptocurrency has become, its surge in notoriety has created an underground network of those who will do anything to monetize with or without your consent. As a result, cryptocurrency themed malware has taken center stage over the past few months. The intent is to utilize precious system resources e.g. CPU, RAM and GPU, unbeknownst to the end-user. Bitcoin mining today requires custom hardware that can cost several hundred to a few thousand dollars.
“Bitcoin is created through an energy-intensive "mining" process that uses high computing power to solve a complex mathematical equation, proving an anonymous miner used the process the network agreed upon to build the blockchain record of transactions. Miners then get bitcoin in reward for successfully completing the equation. If the cost to create bitcoin exceeds the reward, miners theoretically lose incentive." (1)
With cost being the number one factor associated with mining cryptocurrency, it only makes sense to offload the cost by way of installing crypto-mining software on unsuspecting users’ machines. The obvious advantage is to avoid the financial investment necessary to profit from mining, however, another is the ability to duplicate efforts across hundreds of thousands of endpoints. This allows miners to generate profits in one day what it would possibly take up to a year to accomplish. Wherever there's financial motivation, there will always be those who look to capitalize be it legally or not.
So, if all it's doing is mining cryptocurrency, why is it considered to be malicious? Cryptocurrency themed malware shares the same characteristics most modern-day malware traits offer, from command-and-control capabilities to maintaining persistence in the event of a reboot. Not to mention, the delivery mechanisms in which the malware is distributed also shares commonalities; from phishing emails to highly complex payloads designed to run in memory without touching the file system. The latter is a way to circumvent endpoint prevention being that code runs solely in memory thereby bypassing traditional static analysis approaches.
Decentralization makes it extremely difficult to identify threat actors. A global network of computers uses blockchain technology to jointly manage the database that records Bitcoin transactions. That is, Bitcoin is managed by its network, and not any one central authority. Decentralization means the network operates on a user-to-user (or peer-to-peer) basis.
"Bitcoin does not have stealth addresses. Bitcoin payments are easily traceable to the sender's address. Multiple Bitcoin payments to the same address can be linked unless the Bitcoin recipient creates new wallet addresses for each transaction (which is impractical e.g. for donation addresses and is problematic if the recipient wants to merge the amounts while maintaining privacy). Bitcoin observers can easily see the amounts of payments that occur." (2)
However, with the rise of cryptocurrency specifically designed to offer full anonymity by way of stealth addressing, unlinkability and the inability to trace transactions, identifying those who are monetizing from crypto-mining make it increasingly difficult. For this very reason, the proliferation of crypto-themed malware has taken center stage as the risk is minimal and the reward can be extremely lucrative.
Another area of concern for those who are tasked to secure their infrastructure and prevent against such attacks is the blockchain itself; being that decentralized systems are very expensive to attack, destroy or manipulate. The ability, or lack thereof, for law enforcement to step in and "take down" these highly distributed networks proves just how resilient the blockchain is to attack. In fact, for this very reason, businesses are adopting blockchain as an added advantage over utilizing the cloud and has opened new revenue streams by offering blockchain-as-a-service.
It's no secret that the impact of crypto mining takes a toll on the hardware associated but also the electricity costs needed to run the "rig" over a long period of time. Although none of this matters to those seeking to monetize from an organization's precious resources considering all the costs are offloaded and the monetary gains all go to the attacker's pocket. This presents a crippling challenge from the SMB market all the way to Fortune 50 entities. Cost aside, the impact to resources creates an increasingly difficult challenge for those to utilize their machines for the sake of doing their job. Think of crypto mining software as a DDoS that consumes resources and renders the machine unusable.
"The U.S. ranks 41st among countries, with an average cost for mining bitcoin of $4,758 a bitcoin, close to other popular mining destinations Russia at $4,675 and aforementioned Iceland at $4,746." (3)
At the time of writing this article, Bitcoin is priced at $8,903 and continuing an upward trend with experts claiming it'll soon reach its record high of $19k as seen in December 2017. With this being the case, security researchers claim that crypto mining software, as well as prolific ransomware, is here to stay.
So how do we as practitioners and defenders alike prevent these forms of attacks against our infrastructure? The obvious is to keep all connected systems up-to-date with patching routinely as well as decommissioning antiquated systems that are prone to exploitation; I'm looking at you XP. Another no-brainer is to leverage next-gen prevention, detection and response capabilities.
However, nowadays it's not enough to build a math model and employ artificial intelligence to statically analyze payloads, especially when it comes to cryptocurrency being that their character traits are nearly identical to that of seemingly good software. Identifying the behavior of an application is the only way to truly understand the dynamics and capabilities associated. For that very reason, CounterTack has purposefully created analytical models and engines to provide the context and visibility associated with our interpretation of a threat. Each of these components provides different observations of potentially malicious activity and are uploaded to the analytics engine on the endpoint. These observations may corroborate, correlate, or contrast the potentially malicious activity.
Back in early March, Microsoft encountered a cryptocurrency-mining malware that was able to propagate itself across nearly 500k endpoints within just 12 hours. According to The Hacker News, “Dubbed Dofoil, aka Smoke Loader, the malware was found dropping a cryptocurrency miner program as payload on infected Windows computers that mines Electroneum coins, yet another cryptocurrency, for attackers using victims' CPUs.”(4) In the example below, you’ll find artifacts associated with Dofoil gathered from the CounterTack Sentinel platform. This is just one example of many that outlines how we’re able to collect, analyze and mitigate threats such as Dofoil and significantly reduce dwell time all without the need of signatures or external threat intelligence.
Relationship graph showing the anatomy of execution regarding Dofoil cryptocurrency-mining malware
About Jason Mueller: Jason is an industry recognized subject matter expert when it comes to cybersecurity, most notably, focusing predominantly on endpoint prevention, detection and response. He's held positions at prominent and leading cybersecurity vendors that has allowed him to engage with customers first hand to develop best practices to reduce the attack surface and mitigate adversarial threats.