Crypto Miners May Be the ‘New Payload of Choice’ for Attackers

Ransomware has been a favorite and time-tested tool for cybercriminals, but the rise of cryptocurrency has given them a broad new target with key strategic advantages, leading to a sharp uptick in crypto mining botnets, researchers at Cisco Talos say.

Attackers “are beginning to recognize that they can realize all the financial upside of previous attacks, like ransomware, without needing to actually engage the victim and without the extraneous law enforcement attention that comes with ransomware attacks,” Talos researchers write in a new report.

One prominent example of a cryptocurrency mining botnet is Smominru, which has made as much as $3.6 million since May mining Monero, researchers at Proofpoint say.

Monero has emerged as a favorite among mining botnet creators, and an average-sized system comprised of about 2,000 victims could mine about $200,000 worth of Monero per year, according to Talos’s report.

Mining cryptocurrency of any type is a compute-intensive process, making the prospect of stealing CPU cycles from other machines, rather than make the large upfront investment in infrastructure and ongoing one in electricity costs a tempting one for criminals.

These botnets typically use pool-based mining, which pulls together the computing resources of all the infected systems. “This is similar to launching DDoS attacks “where 100,000 machines flooding a target with bogus traffic becomes much more effective compared to a single system under the attacker’s control,” Talos says.

But in sharp contrast to DDoS attacks, the goal of a successful crypto botnet is to remain undetected, allowing it to run for months or even years, generating cash for its owners all the while.

To that end, attackers are learning and adapting as time goes on, specifying parameters aimed at hiding the botnet malwares on infected systems. For example, limits can be put on CPU usage and system temperature. “If the mining software is executed without these options, victims might notice significant performance degradation on their systems,” Talos’s researchers write.

Mining software is typically being distributed via spam emails that contain attachments such as malicious Word documents. Talos found an example from late 2017 that used a job application spoof.

Attackers are also using exploits to take advantage of vulnerabilities. One high-profile example came in December when hackers exploited vulnerabilities in Oracle WebLogic and PeopleSoft systems to install Monero miners, generating more than $200,000 before being discovered.

Another reason mining botnets are coming into favor is that they’re the “polar opposite” of ransomware from a management perspective, since once systems are infected there is no command-and-control activity involved, Talos adds.

None of this is to say that ransomware is going away, as it will remain effective for more targeted attacks, “but as a payload to compromise random victims, its reach definitely has limits,” they wrote. “Crypto miners may well be the new payload of choice for adversaries. It has been and will always be about money and crypto mining is an effective way to generate revenue.”

Source: ThreatPost

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!