Blog Cryptocurrency

What is Cryptojacking? A Complete Guide to Crypto Mining Malware

Crypto scams and hacks can be disguised in many forms and shapes. While some attackers may directly hack your crypto wallet, others may subtly creep into your system and mine crypto.

The former attack may be very evident; the latter can be tricky to detect.

Hijacking a user’s device to mine cryptocurrency is called cryptojacking. It peaked in 2018 when Bitcoin and other cryptocurrencies started gaining popularity.

On March 6, 2018, Microsoft blocked over 400,000 cryptojacking instances in less than 12 hours. That was probably just the tip of the iceberg. On average, over 15 million cryptojacking incidents were reported every month in 2022 — that’s an increase of 86% from the previous year. There was a point when cryptojacking became the sixth most popular malware globally.

According to a recent report from Google’s cybersecurity action team, 86% of the compromised Google Cloud accounts were used for mining cryptocurrency.

Today, large-scale cryptojacking has become a new norm as cybercriminal groups launch advanced and sophisticated attacks every day to infiltrate networks and quietly mine for coins.

What is cryptojacking?

Cryptojacking is a cybercrime where your machine (computer, smartphone, or server) is secretly used to mine cryptocurrencies like Bitcoin, Litecoin, Ethereum, Dogecoin, etc. This usually happens when you visit any infected website, click on a phishing link, or accidentally install malware on your system. The malware gives hackers access to your system — which allows them to mine cryptocurrencies — at the expense of your device and resources.

Earning money is the primary motive behind cryptojacking. The process of mining various cryptocurrencies is almost identical — only the hardware and software change as new consensus algorithms emerge.

With a market cap of $554.35 billion, Bitcoin is one of the most popular cryptocurrencies on the internet. And hence, it’s also one of the most mined cryptocurrencies through cryptojacking. To learn more about Bitcoin mining and how it works, check out our full guide on Bitcoin mining.

Types of Cryptojacking

Cryptojacking is notoriously popular as deploying the malware is relatively easy, and mining crypto is highly profitable. With just a few lines of code, hackers can sneak into any device and run crypto-mining malware without being noticed by the user or system. There are many ways they can infect a system. Here are a few of their widely used strategies:

• Malicious Code

Crypto mining malware commonly enters a user’s system through a malicious link often sent via phishing emails. The hacker persuades users to download an app that pretends to perform a user-intended action but instead runs a malicious code on the device. This allows the hacker to gain access to the victim’s system and run a crypto-mining script in the background.

• Web Browser Injection

Another prevalent method is to inject a script into an ad or a website. When you visit a website or click an ad, the script is executed automatically in the background. This method is often referred to as browser mining — that’s because the malicious code is not stored on the device. While cryptojacking is a cybercrime, browser mining is completely legal when it’s done with the user’s consent.

• Cloudjacking

Cloudjacking is a common term used to describe an instance when a hacker gains unauthorized access to a user’s cloud services. The attacker may use unlimited cloud computing resources for mining crypto. The victim is left to bear all the expenses, which can amount to thousands of dollars for one such breach. To prevent such hacks, it’s recommended to secure your cloud accounts with two-factor authentication.

Irrespective of the method, the mining script is used to access and use the machine’s computing power to solve cryptographic equations. Hackers do not tamper with any personal information as it might expose them. And for their crypto mining operation to be profitable, they want to remain undetected for as long as possible.

How does Cryptojacking work?

Let’s look at a few critical steps to a successful crypto-mining operation.

  1. Infiltrating an asset: The first step is gaining access to a system. It could be a computer, mobile, tablet, or a server. This can be done through a malicious code/link.
  2. Executing the script: Once the crypto-mining script is planted, the hacker can execute the script to start mining their desired crypto.
  3. Cryptomining starts: The malicious script continues to run in the background to mine crypto by using the victim’s computer resources.
  4. Hacker receives the rewards: Whenever a new block is added to the chain, the hacker receives the mining reward.

Why is cryptojacking popular?

Mining cryptocurrency is highly rewarding but requires expensive machines, which may consume a lot of energy and resources. Many cryptocurrencies have a limited supply. Mining them gets harder as they reach closer to their market cap. After a certain point, mining them may outweigh the profits.

For instance, the average cost of mining Bitcoin is $35,404. However, the price of one Bitcoin ranges between $27,000 to $30,000 as of April 2023. This makes Bitcoin mining less profitable — if you’re burning up your own resources. Cryptojacking is a hacker’s way of bridging the gap between mining expenses and profits. Their sole purpose is to earn more money while minimizing their investment.

How can you detect crypto mining malware?

While cryptojacking, the hacker’s main intention is to remain undetected on the victim’s device so they can mine as much crypto as they can. Thus, they disguise their attempts as standard processes, which makes detecting cryptojacking a bit tricky but not impossible. Here are a few ways you can check if your device is infected:

• Inferior performance

Slower performance is one of the first signs of a cryptojacking attack. If your device is running unusually slow or exhibits poor performance even when no programs are running, it’s likely that a crypto-malware is taking up all the resources in the background. Another signal is a battery that drains more quickly than usual.

You can quickly assess your device’s performance through the Run command dialog box. Simply press Windows Key + R and type “perfmon /report”. It will open a window with the message “collecting data” for the next 60 seconds. On the next screen, you will find an overview of all the major components of your system, including the CPU, Disk, Memory, and Network. The severity of issues is indicated by red, amber, and green lights.

You can also watch out for performance drops through performance monitoring software like CPU-Z and Wise System Monitor.

• Overheating

If your device repeatedly overheats in just a few minutes after booting up, chances are that it’s infected with crypto mining malware. Overheating usually happens when too many processes and apps are running simultaneously. However, if your system overheats unnecessarily, it could be malicious code or malware causing the problem. Overheating may damage your system or shorten its lifespan.

You can keep an eye on your system’s temperature through apps like CoreTemp or Open Hardware Monitor. To check the apps and processes running on your PC, press Ctrl + Shift + Esc on Windows or the [CMD] + [ALT] + [ESC] keys on a Macbook. It will open Task Manager, which will give you detailed information about the apps that are consuming resources.

• Excessive CPU Usage

Mining scripts and malware are resource-intensive. They can take a toll on your system’s resources. If your CPU usage reaches its max capacity while browsing a website with little to no media, the site may be running browser-based cryptojacking scripts. This can also happen when malware is running in the background. You can quickly check your CPU’s usage through the Task Manager (press Ctrl + Shift + Esc on Windows or the [CMD] + [ALT] + [ESC] keys on a Macbook).

Browser extensions are the easiest way to prevent web-based crypto-mining attacks. NoMiner and MinerBlock are two of the most popular extensions for preventing browser-based crypto-mining attempts. You can take your security even further by disabling JavaScript in your browser. However, some websites that use JS will not be displayed correctly.

Cryptojacking malware that infected millions of users

Cryptojacking is for real. Over 66.7 million instances were reported in just the first half of 2022 — that’s about a 30% increase from 2021. That’s not all. Over 4000 websites, including some owned by the UK government, were affected by cryptojacking malware in 2018. Here are a few popular real-world examples of cryptojacking malware reported globally.

• Coinhive

Launched in 2017, Coinhive was a cryptocurrency mining service that allowed users to mine crypto by embedding JavaScript code on their websites. This is also known as “in-browser mining” — a form of cryptojacking that became popular in late 2017 and 2018.

Coinhive was meant to be an additional source of generating revenue for website owners — perhaps an alternative to ads. Some of the most popular websites, like UNICEF and Salon, used it for mining crypto. However, it was misused by attackers as they would often inject the code into users’ devices without their consent.

Later in March 2019, the authorities completely shut down Coinhive due to increased cryptojacking attacks. The company shared a few reasons for shutting down operations in a blog announcing its closure. According to Coinhive, the increasing cost of mining Monero and the steep decline in its price adversely impacted their profitability.

• WannaMine v4.0

WannaMine was first discovered in 2018 and is typically injected into a user’s computer through a phishing email containing a malicious attachment. As soon as a user clicks the attachment, the malware installs itself on the system and starts mining Monero — a private, decentralized cryptocurrency.

Alongside mining crypto, WannaMine was capable of infecting other computers on the same network. Its successor WannaMine v4.0 can even avoid being detected and steal users’ sensitive information.

• FaceXWorm

FaceXWorm relies on social engineering, a technique that tricks users into revealing confidential information through psychological manipulation. The malware spread through malicious links sent via Facebook Messenger. The link would redirect users to a fake YouTube page that would ask them to install an extension for playing the video.

Once you install the extension, it will download malicious code from its command-and-command (C&C) server onto Facebook and start sending malicious links to your friends. That’s not all; it can also steal user’s login credentials for popular websites like Google, MyMonero, and Coinhive. Last but not least, it also could pull crypto scams by tricking users into sending a certain amount of Bitcoin or Ethereum for “verification” of their accounts. In return, the attacker promises them a much larger amount of crypto.

• BadShell

Comodo — a cybersecurity firm, first discovered BadShell in 2018. It is a fileless crypto malware that is not stored on the system storage; instead, it operates through CPU and RAM. Thus, detecting it is tricky as scanning your hard drive won’t get you any results.

Badshell can cause serious damage to your organization’s network by allocating computing power to mining cryptocurrency rather than other activities that are important to your company.

• Black-T

Black-T was developed by TeamTNT — a threat group known to target AWS credential files on compromised cloud systems for mining cryptocurrency. Their code provides advanced capabilities, including blocking cryptojacking worms like Crux worm and ntpd miner.

According to researchers at Unit 42 — the team that first discovered Black-T, the malware does a lot more than mining crypto. It can not only steal your saved passwords but also target competitive XMR mining tools on the network.

Real-world cryptojacking examples

Cryptojackers can be extremely smart and sneaky when it comes to injecting viruses into peoples’ computers. Here are a few real-world cryptojacking examples:

• Rogue employee commandeering company systems

Once a rogue staffer installed a crypto mining system under the floor beds of the data center of a giant European bank. The officials got suspicious as its servers experienced unusual traffic patterns and all their night-time processes were slow, and the diagnostic tools failed to detect anything strange.

• Exploiting rTorrent vulnerability

After discovering an eTorrent misconfiguration vulnerability, cryptojackers deployed a Monero crypto miner on clients that were exposed without authentication for XML-RPC communication. This resulted in widespread crypto-mining without a user’s consent.

• Romanian attackers target Linux machines with cryptomining malware

A Romanian threat group recently attacked Linux-based machines with SSH credentials for deploying Monero mining malware. They used tools that were distributed on an as-a-service model. This might be just the beginning of Linux system crypto-mining attacks.

Tips to protect yourself from cryptojacking

According to a survey, a cyberattack occurs roughly once every 39 seconds. Even today, cryptojacking is as popular as it was back in 2018. Here are a few tips for safeguarding your technical infrastructure against cryptojacking attempts.

• Patch & strengthen servers (and everything else)

Cryptojackers try to exploit the most vulnerable server on any network. They scan for publicly exposed servers that are running on older OS versions. Thus, to prevent cryptojacking, you should patch your servers regularly, update them with the latest OS versions, turn off unused services, and limit unauthorized access. Regular server checks and maintenance will go a long way in safeguarding you from cryptojacking attempts.

• Train your IT Team & employees

Your IT team will be the first respondents in case of any cryptojacking attack. They will play a vital role in removing any malware from your systems and prevent it from entering again. Thus, they should be well-trained and aware of initial signs of an attack. Not just that, you should also train your employees to report any overheating or slower performance issues in their systems.

• Use anti-mining browser extensions

Web-based cryptojacking scripts are usually deployed through browsers. And the easiest way to prevent them from mining crypto is through anti-mining extensions. Two of the most popular extensions include No Coin and MinerBlock. You can also use ad-blockers like AdGuard and AdBlock for blocking malicious codes and scripts.

• Keep computers and web browsers updated

New forms of malware are introduced by hackers every day. On the other side, companies making operating systems and browsers release frequent updates to combat these vulnerabilities that may spoil your user experience. Thus, it’s important to ensure your system is always running on the latest version.

• Use a reputed anti-malware software

Antivirus software can go a long way in safeguarding your system from malicious software applications. It’s always recommended to have robust antivirus software that’s regularly updated and maintained. You can schedule regular scans and look out for any potential threats that may be harmful to your systems.

• Implement strong user authentication methods

Use multiple verification methods to authenticate users before granting them access to a system or network. For instance, you can ensure all your employee’s accounts are secured by Two-Factor Authentication (2FA). This will not only help you prevent cryptojacking but also ensure your cloud accounts are protected.

Final words

Cryptojacking is certainly one of the sneakiest cybercrimes on the internet. Cryptomining malware can enter your system through a phishing email, an unsolicited attachment, or a malicious software. You should be very cautious while accessing unknown links or attachments that appear too good to be true.

We hope this guide helped you understand the ins and outs of cryptojacking, signs indicating your system might be infected and tips to combat it. To ensure your system remains secure, scan it regularly, keep it updated, and continuously check for any performance drops.

Speed Team