Resources Articles Top 4 Most Dangerous Forms of Cryptocurrency Malware and How to Stay Safe

Top 4 Most Dangerous Forms of Cryptocurrency Malware and How to Stay Safe

Top 4 Most Dangerous Forms of Cryptocurrency Malware and How to Stay Safe

About Cryptocurrency Malware

With cryptocurrency like Bitcoin blowing up in popularity and making people multi-millionaires very rapidly, everyone and their mother is trying to jump on this bandwagon, including malicious actors.

Cryptocurrency has been used on the black market for a very long time. Where there is more common ground for everyday concern is when it comes to javascript coin-miners. Crypto-mining malware made it to the 6th spot in the Top 10 Most Wanted Malware in October 2017, according to the security research team at Checkpoint. These scripts can run rogue until you are wondering why your CPU is pushing 100% utilization if you ever notice and make the connection. That is why these attacks have been so successful; they aren’t meant to affect your experience.

The Botnet

This is by far the most infectious cryptocurrency malware mining operation discovered to date. A botnet dubbed Smominru by Proofpoint researchers was found to have infected half a million computers worldwide using the same leaked NSA exploit as WannaCry. The operators have already mined over $3.6 Million in Monero and are churning out about 24 Monero per day ($6,000 at the time of updating this).

The highest number of infected machines are in Russia, India, and Taiwan but there are a decent amount in the United States and several other countries as well. Another fileless malware attack discovered by Panda Security as WannaMine uses the same NSA exploit, EternalBlue, to mine Monero. This is probably just the beginning of this type of lucrative and quiet malware.


Websites like coinhive, coin-have, and crypto-loot supply easily embeddable javascript crypto-mining scripts. These can be embedded into web pages and plugins. When a user visits one of these websites or is running a plugin with the script, their CPU power gets used at the discretion of the script to mine cryptocurrency.

In most cases, this happens without asking or notifying the user. Sometimes these are put in place by legitimate website administrators who notify users and ask permission. Even Showtime was caught running these scripts on their video streaming websites.  If no value is set within the script it will use as much excess processing power of the machine as possible by default.

The Social Worm

There has also been a recent uptick in coin-mining malware spread through Facebook messenger. People have received messages through Facebook messenger with zipped video attachments that are actually malware dubbed Digimine. Once clicked it downloads the components from a C&C server along with an auto-start mechanism and a malicious plugin for Chrome.

When Chrome is later launched the malicious backend plugin will wait for you to login to Facebook. Finally, the plugin will interact with your Facebook Messenger and send the malicious zipped video to your contacts. At this point, the vicious cycle starts all over again for them.

Update: An even more intrusive worm has been running rampant called FacexWorm. This worm spreads just like Digimine and tries to run JavaScript miners in user’s browsers. This worm is also built to steal credentials for Google, MyMonero, and CoinHive. It also replaces any wallet addresses by detecting any of 52 cryptocurrency exchange URL’s and phishes login credentials to later clean out the user’s exchange accounts. This is a truly thorough and intense worm that would be an absolute nightmare for anyone involved with cryptocurrency.

The Mobile Threat

Kasperky Lab has discovered an Android trojan called Loapi. This malware is known as a “jack-of-all-trades” malware and lurks in fake anti-virus and porn applications. Loapi can be used for DDOS, advertisements, redirecting web traffic, sending text messages, installing other applications, and coin-mining Monero. The type of mining challenge posed by the Monero blockchain is well suited for CPU’s. This makes Monero the typical cryptocurrency of choice of coin-mining scripts for PC, mobile, and IoT devices. During a test, this malware destroyed an Android phone within 2 days of mining!

How to Stay Safe

There is not one way to safeguard yourself from all types of cryptocurrency mining malware. At the end of the day, malware is malware and best-practices will forever be the best protection. For the threats we have seen already, the most important best-practices to pay attention to in lieu of coin-miners would be the following.

  • DO NOT click on any “ .zip” files in Facebook messenger. If you receive one, message the person back saying you think they have had a breach and they should run a scan on their computer and disable any unfamiliar browser plugins.
  • DO NOT download any anti-virus or porn apps on your phone. Do not download apps from any other source besides the app store.
  • Block browser miners. This can be done by installing a plugin to warn you when a site is trying to mine, blocking the mining domains, or stopping scripts from running altogether which will definitely put a damper on your web browsing experience. See a more detailed list of these options here.
  • Good endpoint protection can automatically block this malware for you.

How Sedara Can Defend You From Cryptocurrency Malware

As the cryptocurrency market continues to grow, these threats will also grow in intensity and popularity so staying ahead of them is crucial. If you have any questions or comments just let us know!

Subscribe to Sedara Declassified to get timely updates on new and evolving threats – and what to do about them – just like our clients do.

Accomplish your security & compliance goals.

Get a Demo