Despite the downturn in cryptocurrency price, malicious actors have not stopped developing cryptocurrency mining payloads. According to Kaspersky security, cryptocurrency miners are still being deployed or adapted to almost every type of malicious post-exploitation code. These cryptomining payloads are seen targeting almost every possible device that has a processing unit, from cell phones, browsers, routers and, of course, servers.
Any device that can be used for processing power is, and will be, targeted. The numbers show that the trend is not slowing down, even though most cryptocurrencies have lost value in significant levels. Specifically, CPU processors are plentiful and fertile ground for planting miners as most ISPs, Cloud, and VPS deploy them in very large numbers. A lot these servers host a number of vulnerable applications that usually provide the bridge between the victim host and the implantation of a crypto miner payload.
Cryptocurrency mining is now a default monetizing post-exploitation payload that usually accompanies DDoS functions which are also highly monetized and offered through the cybercrime underground. Specifically, Monero (XMR) is the most seen cryptocurrency associated with exploitation campaigns, as it can be mined with CPUs and it is difficult to trace. This makes it the preferred coin when it comes to exploitation/mining campaigns.
In our next Threat Advisory, we dissect the code of a recently discovered multi-staged exploitation and post-exploitation malware reported by Dr. Web antivirus company, which shows multiple functions targeting Linux based servers. We also provide some context around the economics of the campaign, as it is difficult to trace the transactions from the XMR hash used by criminals. However, we can get an approximate picture of botnet size by looking at its hash rate averages.
This contextual data, along with the code review, indicates these type of payloads continue to be deployed and will be for the foreseeable future.