Dig this: The future of crypto-mining botnets

The blockchain sector is now bursting with innovation, with developers looking for new, pragmatic ways to use this secure distributed ledger technology across a range of applications. And as always, cybercriminals are among the earliest adopters, and unfortunately helping to push forward public awareness of the technology.

Crypto-mining malware is now by far the most common event we are seeing attacking our user base, and this is only the beginning. Since December 2017, the Coinhive crypto-miner, which performs online mining of the Monero cryptocurrency, has been the most common type of malware seen globally, impacting nearly 20% of organizations worldwide over the past four months. What’s more, volumes of crypto-mining attacks are doubling and re-doubling month by month.

So what can we expect over the next couple of years? Here, I will try to predict the future of crypto-mining botnets by analyzing the evolution of cyber-attacks which has led to the current popularity of mining exploits. Combining this with a look at the current decentralized computing projects supported by blockchain technology, I will also suggest the direction in which these attacks are heading, and why.

I will first explain the changes in cyber-attacks that preceded crypto mining malware, how they evolved to the present-day threat, and highlight crypto projects that will lead to the next phases of this trend.

Generating revenue on every attack

An attacker is always aware of the amount of revenue their malware can make, and will quickly adapt their technique to deliver the best possible ROI. Most attacks are linked together in a funnel, in which each step needs to pay the previous level for the “leads” it provides. The usual funnel will be:

Targets > delivery > infection > monetization.

Each step has a success ratio, such as the percentage of spam emails that bypass spam filters, or the percentage of successful exploits (that is, the infection rate) or the rate of click-through on infected files.

The monetization step has its success rate as well. To earn from an infection, the identity of the target needs to match your attack profile. Think of phishing sites or banking Trojans, the infected user needs to be doing online banking with your supported list of banks which reduces the number of infected users you can cash-in on.

The first malware evolution to use crypto coins for the revenue stream was ransomware. Ransomware doesn’t need to adapt to a specific bank. Every target is vulnerable to ransomware, as every machine and user has files of value, which the user will be incentivized to pay a ransom in order to retrieve. Unfortunately for the attacker, the ransom pay-out rate is under 1% of all infections. This was witnessed in the WannaCry campaign, and in our analysis of the Cerber Ransomware–as-a-service campaign.

Crypto-mining solves this problem of low returns (and of course, relatively high-risk) as now there is no need to steal a user’s online banking balance or extort them into paying up. Every mining bot added to your network of miners immediately shares its calculation power with a mining pool and generates revenue for the attacker – in many cases without the user even being aware that they are being exploited. Even better, this technique can also operate on web browsers using crypto-jacking, JavaScript-based miners on site viewers, so the attacker doesn’t even need to infect a user’s machine directly: they earn a profit every time someone visits the infected website.

Understanding the crypto mind

About every 10 minutes an amount of 12.5 bitcoin is mined and added to the blockchain ledger to the winning miner’s wallet. This shapes the economy behind the mining attack. The miner which claims this reward is the one that has the Proof of Work that they solved the current block, and this is then broadcast to all fellow miners to continue with mining the next block.

The cost of electricity sets the cost for normal crypto-mining operations, and of course this changes when you use mining malware, as the attacker doesn’t pay the electricity bill. For these malicious actors, the costs are different. They are set by the price of getting an infected machine, divided by the number of CPU cycles that can be performed on it before the infection is removed.

The current evolutionary stage of mining malware is quick, dirty and very noisy. Each infection communicates rapidly with the CDC as it needs to be updated with the current block calculations which it needs to make.

This was the case with the first wave of ransomware attacks, where there was a need for a CNC connection for creating keys, and each attack was individual. Ransomware quickly adapted to be more successful and bypass this limitation.

The first evolution was that ransomware came with a pre-infection encryption key, so there was no more need for a live communication to a command and control center. The next wave was the SamSam campaign type (which recently caused major problems in Atlanta, Georgia). SamSam operators first infected a bridgehead in an organization and then moved laterally inside the network and shut it down once it got enough machines. Extortion of this type is much more destructive and more likely to result in a ransom being paid – and similar tactics will be adopted by developers of crypto-miners.

The future of mining malware

As bitcoin becomes a mainstream payment technology, there will be more roadmap items in development for the blockchain technology. Vitalik Buterin, the name behind Ethereum, ignites ideas about his decentralized app platform to allow different use cases for apps over blockchain. Vitalik also refers to BitTorrent as the first decentralized application. Similarly to BitTorrent, a current project named Sia develops a decentralized storage platform and creates a cloud data storage marketplace using the Siacoin blockchain.

This will allow attackers to monetize not just CPU usage to mine cryptocurrency, but also from idle storage on the attacked servers, or even worse, overwriting existing data by Sia storage. The Golem project “creates a decentralized sharing economy of computing power and supplies software developers with a flexible, reliable and cheap source of computing power,” according to the project site. This aim will allow sharing of infected machines’ computing power to monetize not by mining a cryptocoin directly, but rather by selling resources that enable others to mine currency.

Another ‘innovation’ from criminals has already been witnessed in the wild, where instead of mining cryptocurrency, cybercriminals are breaking into wallets. In his talk series in Def Con, Ryan Castellucci mentions a test he did with baiting attackers by transmitting small bitcoin transactions with weak “brainwallet” produced keys. These keys are created from a passphrase that a human can remember but are much less secure against brute force attacks, or guessing the passphrase.

Castellucci reports that such transactions where hijacked instantly when using random 5-character passphrases. Such efforts by cybercriminals can lead to massive botnets moving into the field of key-breaking and utilizing mass computing resources for stealing funds directly from the wallets of those that have already mined or bought them, instead of going to the trouble of mining the currency themselves. It seems digital wallets are just as vulnerable as their physical equivalents.

In conclusion, cybercriminals have yet again been quick to innovate in the use of emerging technologies. We expect this wave of mining malware to keep growing and be a major source of innovation and revenue for attackers in the coming years – and a growing problem that the security industry needs to address.