Cryptojacking: An overview of the crypto-mining malware

The prosperity of earlier blockchain-based coins is primarily due to mining. To link blocks and preserve the integrity of the transactions, a network of connected miners must solve a challenging mathematical problem. In return, miners get a portion of the crypto they mined as a reward. 

 

However, the high value of cryptocurrencies, among other benefits, has drawn a lot of bad actors, who mine these currencies using resources owned by their legitimate owners. As a result, the threat of illicit crypto-mining has increased significantly over the past few years. It is now ranked higher than ransomware as one of the biggest cybersecurity threats. For instance, with a rise of 86%, the average monthly number of cryptojacking incidents in 2022 is up to 15.02 million, up from 8.09 million in 2021 (livemint.com).

 

In the above context, this article aims to make people aware of the cryptojacking crime and how to detect and protect themselves from this mining malware.

 

What is cryptojacking?

Cryptojacking is an amalgamation of two words: cryptocurrency and hijacking, which refers to the illegal use of processing power and bandwidth from online users to mine cryptocurrencies. After 2017, when hackers began to use legal mining programs, mainly Coinhive scripts, it gained popularity. In reality, Coinhive was a legitimate mining service that offered servers and software for in-browser mining operations. Nevertheless, before the Coinhive closure in March 2019, approximately 10 million web users each month had fallen victim.

 

A victim of cryptojacking could experience poor computer performance in addition to high electricity costs. According to a scholarly study, a cryptojacking website can cause a victim's computer to perform worse by up to 57%, become hotter by up to 52.8%, and use more CPU by up to 1.7 times. 

In-browser and host-based crypto jacking are two ways used by hackers to inject malicious scripts into websites, apps, etc.

 

In-browser cryptojacking

Interactive web content is now possible because of the advent of web technologies like WebAssembly (Wasm) and JavaScript (JS), which can access the various computational capabilities (such as processing power) of the victim's mobile device or computer. These web technologies are used by in-browser cryptojacking malware to gain illegal access to the victim's machine and mine cryptocurrencies using the victim's CPU.

 

Illegal owners use the following steps during the in-browser cryptojacking process:

  • Step 1: The script owner registers to use the service. Since the script might also be used for legal purposes, the script owner is not solely recognized as an attacker. 

  • Step 2: The service provider provides credentials and ready-to-use mining scripts to the script owner.

  • Step 3: The script owner inserts the malicious cryptojacking script into the website's HTML source code after getting the service credentials. Web browser loads website and instantly launches a mining script for cryptojacking.

  • Step 4: After executing the script, the web browser asks the service provider for mining work.

  • Step 5: The service provider sends the mining pool the task request. 

  • Step 6: The mining task is then assigned by the mining pool.

  • Step 7: The service provider gives the mining script the task back.

  • Step 8: The victim's computer receives a new mining assignment from the mining script.

  • Step 9: The victim's device launches the mining operation, and the mining script keeps mining on the victim's computer.

  • Step 10: The mining script sends the mining results directly to the service provider as long as the mining script and service provider are connected to the internet.

  • Step 11: The service provider gathers all the data from various sources and delivers the findings to the mining pool.

  • Step 12: Finally, the mining pool distributes the payment as mined money back to the service provider. 

After the service provider reduces its service price, the script owner receives its portion from the service provider using its service credentials. In this environment, attackers utilize victims' CPU power while providing no compensation or other benefits to the victims.

 

Host-based cryptojacking

Host-based cryptojacking is a stealthy malware technique used by attackers to gain access to the resources of the victim host and turn it into a zombie computer for the virus owner. In contrast to in-browser cryptojacking malware, host-based malware is installed on the host system to access the victim's computing resources utilizing strategies such as social engineering, being implanted inside third-party software, or exploiting security holes.

 

Hackers use the following steps to inject the host-based cryptojacking process:

  • Step 1: The attacker tricks the victim by merging unauthorized cryptocurrency mining malware with legitimate applications.

  • Step 2: Then malicious scripts are injected into data sharing platforms like torrent, which infects a victim's device if they install infected applications.

  • Step 3: Web sockets or application programming interfaces (APIs) inject mining malware into a mining pool, and the attacker receives the revenue without the victim's knowledge.


How to detect cryptojacking?

Cryptojacking has low costs and risks, but the attacker would need to rely on many infected devices for a long time to generate substantial profits. However, due to the widespread drop in cryptocurrency values, there are more profitable ways to exploit hacked systems, making the opportunity cost the main cost. Regardless, crypto mining malware should be detected to prevent it, and various symptoms may help you catch it. For instance, device overheating, unexpectedly high processor consumption (shown by sluggish or slow response times), and poor battery performance are all signs of cryptojacking. If you work in a professional setting, this can show up as an abrupt rise in employee complaints about subpar performance or an observable surge in CPU overheating waste.

 

As mentioned, attackers use various obfuscation techniques to inject crypto mining malware into legitimate devices, as discussed below:

 

CPU limiting

Since the primary requirement for the crypto mining process is CPU usage, the attackers' method of choice for hiding the mining script is CPU capping. Bypassing the high CPU usage-based detection systems and avoiding being included on the blacklist is possible for script owners using this technique.

 

Code encoding

The malware source code can be made invisible to keyword-based static analysis detection techniques like blacklists by encoding it using a variety of encoding algorithms. This technique converts text data into another format, like Base64, making the data only readable by machines after the conversion.

 

Binary Obfuscation

The host-based cryptojacking malware and the in-browser cryptojacking malware both use binary obfuscation, a technique used by malware designers to conceal harmful code from the usual string matching method.

 

Hidden library calls

Programmers frequently employ the well-known library calling method to improve their code's efficiency, organization, and readability. However, attackers can also use it to conceal their programs. For example, hackers specifically construct new scripts without specific keywords to hide the mining code from detecting systems.

 

How to protect yourself from cryptojacking attacks?

Pure cryptojacking assaults may just result in lower performance, but this does not imply that they are harmless. Instead of becoming a cryptojacking victim, one should serve as a protector: if an attacker can install harmful malware on your (or your employees') computers, this is a sign that your security is poor and needs an upgrade. Here are a few tips to protect yourself from cryptojacking:

  • Proprietary antivirus products like Kaspersky and Avast are frequently favored as protection against host-based cryptojacking malware. 

  • Open-source browser extensions such as NoCoin and MinerBlock are frequently used to block in-browser cryptojacking malware. Based on blacklisting, these open-source browser add-ons update their lists whenever new dangerous domains are found.

As general protection measures, you can disable JavaScript while surfing the web and use adblockers like  Ad Blocker Plus to protect yourself from becoming a victim of crypto mining malware injected via online ads.