The rise in value of cryptocurrencies is driving malicious actors to implement payloads that allow the use of CPU/GPU of compromised hosts in order to mine cryptocurrency. The process of mining is defined as “the use of computational power to process transactions for a cryptocurrency blockchain in order to receive a reward of cryptocurrency for the effort. The computational power will come in the form of CPU processing or GPU processing. Miners are rewarded for successful ‘shares,’ or completed computations, by receiving a payment with fees that are collected along the way by the p2p network.”*.
By implementing cryptocurrency mining payloads, malicious actors can now increase the value of their victims by using their computer power. It is common in the cybercrime underground to seek profit from compromise hosts. These compromised hosts often called “zombies” or “bots” are usually part of botnets, which is a network of private computers infected with malicious software and controlled as a group without the owners’ knowledge. These botnets are built with the purpose of executing malicious activity (DDoS, Spam, Identity Theft, Carding, Information Theft, etc). These activities feed the underground crime ecosystem as malicious actors make profit from the resources obtained from these botnets.
With the addition of cryptocurrency mining payloads, there is now an additional benefit from compromised hosts since the number of crypto mining attacks and payloads are extending and shifting current threatscape with some of the main attack vectors including:
Fig 1.1 Favicon embedded mining code * https://twitter.com/xbs/status/963796410100604929
Fig 1.2 Shows Malwarebytes Mobile cryptomining site
These new benefits are affecting the threatscape. For example DDoS campaigns seem to be shifting as malicious actors consider the use of compromised hosts for attacks or for mining. Every time an attack campaign is uncovered – be it malware, ransomware, or DDoS – what follows is a process where attack sources – usually infected hosts – get cleaned, taken down or blacklisted.
Before cryptocurrency mining, in order to produce revenue from compromised hosts, malicious actors had to either extract valuable information (identity, banking, credentials) or had to use these hosts for not so subtle activities such as SPAM or DDoS. These two activities are very noisy and usually lead to blacklist and take downs. Now with cryptocurrency mining payloads these hosts can produce more revenue and stay undiscovered for a longer period of time.
This situation presents a factor that may be shifting attack campaigns where DDoS campaigns are more focused on specific targets and less widespread as malicious actors focus on mining and keeping hands on compromised hosts. A constant dynamic of the underground economy where malicious campaigns are driven by return of investment.