Cryptocoin Mining Attack Vectors Reshaping the Threatscape


The rise in value of cryptocurrencies is driving malicious actors to implement payloads that allow the use of CPU/GPU of compromised hosts in order to mine cryptocurrency.  The process of mining is defined as “the use of computational power to process transactions for a cryptocurrency blockchain in order to receive a reward of cryptocurrency for the effort. The computational power will come in the form of CPU processing or GPU processing. Miners are rewarded for successful ‘shares,’ or completed computations, by receiving a payment with fees that are collected along the way by the p2p network.”*.

By implementing cryptocurrency mining payloads, malicious actors can now increase the value of their victims by using their computer power. It is common in the cybercrime underground to seek profit from compromise hosts. These compromised hosts often called “zombies” or “bots” are usually part of botnets, which is a network of private computers infected with malicious software and controlled as a group without the owners’ knowledge. These botnets are built with the purpose of executing malicious activity (DDoS, Spam, Identity Theft, Carding, Information Theft, etc).  These activities feed the underground crime ecosystem as malicious actors make profit from the resources obtained from these botnets.

With the addition of cryptocurrency mining payloads, there is now an additional benefit from compromised hosts since the number of crypto mining attacks and payloads are extending and shifting current threatscape with some of the main attack vectors including:

  • Cryptojacking: Code hosted in web applications that hijacks CPU processing power to mine cryptocurrency. Coinhive javascript code miner is an example of this that is  used in thousands of websites across the internet. This is one of the most popular attack vectors as websites can receive thousands of views from oblivious users and use their computers CPUs for mining. These attacks can use cleverly disguised web page elements to hide mining code, with reports of mining code hidden in the page’s favicon. A favicon is an icon associated with the web address that is displayed in the browser.


Fig 1.1 Favicon embedded mining code *

  • Malware Crypto Mining: There are several reports of malware variants now incorporating cryptocurrency mining payloads, such as JS Coinminer. Malware campaigns are always active and seek to compromise as many victims as possible, now with added benefit of CPU processing power use.
  • Malicious Mobile Applications: There have been cases reported of malicious actors attempting to mine cryptocurrency via mobile devices. They attempt to do this by publishing malicious applications in application stores that, once installed, proceed to use mobile processing power. As little as it could be, it is important to take into consideration that in mining, the so-called mining “pools” always takes advantage of as many devices as possible by using distributed processing/mining in order to expedite coin production.


Fig 1.2 Shows Malwarebytes Mobile cryptomining site


  • Adware Crypto Mining: Adware crypto mining involves the embedding of crypto mining code in ads, pop-ups, and other type of web advertising, in some cases pushing these advertisements that might be legitimate but with embedded code that then uses hosts/viewers computing power.
  • Crypto Mining Post-Exploitation Payloads: As malicious actors are able to compromise hosts with any available exploits, they proceed to use post exploitations payloads that allow the mining of cryptocurrency. This is especially the case for malicious actors targeting major CMS applications such as WordPress in order to get massive amounts of processing power from very large distributions of servers across the web. It is important to notice that one the most mined cryptocurrency is Monero. This cryptocurrency can be mined using CPUs (more abundant and common than GPUs) and has a higher level of anonymity than many other cryptocurrencies.

These new benefits are affecting the threatscape. For example DDoS campaigns seem to be shifting as malicious actors consider the use of compromised hosts for attacks or for mining. Every time an attack campaign is uncovered – be it malware, ransomware, or DDoS – what follows is a process where attack sources – usually infected hosts – get cleaned, taken down or blacklisted.

Before cryptocurrency mining, in order to produce revenue from compromised hosts, malicious actors had to either extract valuable information (identity, banking, credentials) or had to use these hosts for not so subtle activities such as SPAM or DDoS. These two activities are very noisy and usually lead to blacklist and take downs. Now with cryptocurrency mining payloads these hosts can produce more revenue and stay undiscovered for a longer period of time.

This situation presents a factor that may be shifting attack campaigns where DDoS campaigns are more focused on specific targets and less widespread as malicious actors focus on mining and keeping hands on compromised hosts. A constant dynamic of the underground economy where malicious campaigns are driven by return of investment.

Share on