About Cryptocurrency Malware
With cryptocurrency like Bitcoin blowing up in popularity and making people multi-millionaires very rapidly, everyone and their mother is trying to jump on this bandwagon, including malicious actors.
This is by far the most infectious cryptocurrency malware mining operation discovered to date. A botnet dubbed Smominru by Proofpoint researchers was found to have infected half a million computers worldwide using the same leaked NSA exploit as WannaCry. The operators have already mined over $3.6 Million in Monero and are churning out about 24 Monero per day ($6,000 at the time of updating this).
The highest number of infected machines are in Russia, India, and Taiwan but there are a decent amount in the United States and several other countries as well. Another fileless malware attack discovered by Panda Security as WannaMine uses the same NSA exploit, EternalBlue, to mine Monero. This is probably just the beginning of this type of lucrative and quiet malware.
In most cases, this happens without asking or notifying the user. Sometimes these are put in place by legitimate website administrators who notify users and ask permission. Even Showtime was caught running these scripts on their video streaming websites. If no value is set within the script it will use as much excess processing power of the machine as possible by default.
The Social Worm
There has also been a recent uptick in coin-mining malware spread through Facebook messenger. People have received messages through Facebook messenger with zipped video attachments that are actually malware dubbed Digimine. Once clicked it downloads the components from a C&C server along with an auto-start mechanism and a malicious plugin for Chrome.
When Chrome is later launched the malicious backend plugin will wait for you to login to Facebook. Finally, the plugin will interact with your Facebook Messenger and send the malicious zipped video to your contacts. At this point, the vicious cycle starts all over again for them.
The Mobile Threat
Kasperky Lab has discovered an Android trojan called Loapi. This malware is known as a “jack-of-all-trades” malware and lurks in fake anti-virus and porn applications. Loapi can be used for DDOS, advertisements, redirecting web traffic, sending text messages, installing other applications, and coin-mining Monero. The type of mining challenge posed by the Monero blockchain is well suited for CPU’s. This makes Monero the typical cryptocurrency of choice of coin-mining scripts for PC, mobile, and IoT devices. During a test, this malware destroyed an Android phone within 2 days of mining!
How to Stay Safe
There is not one way to safeguard yourself from all types of cryptocurrency mining malware. At the end of the day, malware is malware and best-practices will forever be the best protection. For the threats we have seen already, the most important best-practices to pay attention to in lieu of coin-miners would be the following.
- DO NOT click on any “ .zip” files in Facebook messenger. If you receive one, message the person back saying you think they have had a breach and they should run a scan on their computer and disable any unfamiliar browser plugins.
- DO NOT download any anti-virus or porn apps on your phone. Do not download apps from any other source besides the app store.
- Block browser miners. This can be done by installing a plugin to warn you when a site is trying to mine, blocking the mining domains, or stopping scripts from running altogether which will definitely put a damper on your web browsing experience. See a more detailed list of these options here.
- Good endpoint protection can automatically block this malware for you.
How Sedara Can Defend You From Cryptocurrency Malware
As the cryptocurrency market continues to grow, these threats will also grow in intensity and popularity so staying ahead of them is crucial. If you have any questions or comments just let us know!
Subscribe to Sedara Declassified to get timely updates on new and evolving threats – and what to do about them – just like our clients do.