The Kaspersky Lab Anti-Malware Research team has identified two botnets made of computers infected with malware, which silently installs cryptocurrency miners – legitimate software used to create (“mine”) virtual currencies based on blockchain technology. In one instance researchers were able to estimate that a 4,000-machine network could bring its owners up to $30,000 a month, and in another instance researchers witnessed criminals jackpotting more than $200,000 from a 5,000-PC botnet.
The architecture of Bitcoin and other cryptocurrencies suggests that in addition to buying cryptocurrency, a user can create a new currency unit (or coin) by utilizing the computing power of machines that have specialized “mining” software installed on them. At the same time, according to the concept of cryptocurrencies, the more coins that are produced, the more time and computing power is required to create a new coin. Several years ago, the malware silently installing Bitcoin miners (that uses victim computers to mine currency for cybercriminals), was a common thing on the threat landscape, but the more Bitcoins that were mined, the harder it became to mine new ones - and at some point the process even became useless: the potential financial gain that a criminal could get from a bitcoin mining endeavor would not cover the investment they would need to put into the creation and distribution of malware, and the support of backend infrastructure required.
However, the price of Bitcoin – the first and the most famous cryptocurrency – which has been skyrocketing in recent several years from hundreds to thousands of dollars per coin, ignited a real “cryptocurrency fever” around the world. Hundreds of enthusiast groups and startups have started releasing their own Bitcoin alternatives, many of which also gained a significant market value in a relatively short period of time.
These changes in the cryptocurrency markets have inevitably attracted the attention of cybercriminals, which are now turning back to fraud schemes, during which they silently install cryptocurrency mining software on thousands of PCs.
Based on results of recent research by Kaspersky Lab experts, the criminals behind the newly discovered botnets distribute the mining software with the help of adware programs, which victims are installing voluntarily. After the adware program is installed on the victims’ computer it downloads a malicious component: the miner installer. This component installs the mining software and, in addition, performs some activities to make sure the miner works for as long as possible. These activities include:
- An attempt to disable security software;
- Tracking all application launches, and suspending their own activities if a program that monitors system activities or running processes is started;
- Ensure a copy of the mining software is always present on the hard drive, and restore it if it is deleted.
As soon as the first coins are mined, they are transferred to wallets belonging to criminals, leaving victims with an oddly underperforming computer and slightly higher electricity bills than normal. Based on Kaspersky Lab observations, criminals tend to mine two cryptocurrencies: Zcash and Monero. These particular currencies are probably chosen because they provide a reliable way to anonymize transactions and wallet owners.
The first signs of malicious miners returning were spotted by Kaspersky Lab as early as December 2016, when a company researcher reported at least 1,000 computers infected with malware, which was mining Zcash – a cryptocurrency which was launched at the end of October 2016. At that time – thanks to the price of Zcash which has been growing rapidly – that botnet could bring its owners as much as $6,000 per week. The emergence of new mining botnets was then predicted, and the results of recent research confirm that the prediction was correct.
“The major problem with malicious miners is that it is really hard to reliably detect such activity, because the malware is using completely legitimate mining software, which in a normal situation could also be installed by a legitimate user. Another alarming thing which we have identified while observing these two new botnets, is that the malicious miners are themselves becoming valuable on the underground market. We’ve seen criminals offering so-called miner builders: software which allows anyone who is willing to pay for full version, to create their own mining botnet. This means that the botnets we’ve recently identified are certainly not the last ones”, said Evgeny Lopatin, malware analyst at Kaspersky Lab.
In general, the number of users that have encountered cryptocurrency miners has increased dramatically in recent years. For example, in 2013 Kaspersky Lab products protected around 205,000 of users globally when they were targeted by this type of threat. In 2014 the number increased to 701,000, and the number of attacked users in the first eight months of 2017 reached 1.65 million.
Number of users Kaspersky Lab protected from malicious cryptocurrency miners from 2011 to 2017
In order to prevent their computer from turning into an electricity harvesting zombie, which works hard to make money for criminals, Kaspersky Lab researchers advise users follow the measures below:
- Do not install suspicious software from untrusted sources on your PC.
- The adware detection feature may be disabled by default in your security solution. Make sure you enable it
- Use a proven Internet Security solution in order to protect your digital environment from all possible threats including malicious miners.
- If you are running a server, make sure it is protected with a security solution, as servers are lucrative targets for criminals thanks to their high computing performance (in comparison to the average PC)
Kaspersky Lab products successfully detect and block the malware spreading malicious mining software with the following detection names:
Learn more about newly discovered malicious mining botnets on Securelist.com