Cryptojacking is Soaring, and “Stegware” Makes it a Stealth Bomber

With Bitcoin becoming resource-intensive to mine, and several cryptocurrency platforms arising as alternatives, more bad actors are jumping into cryptojacking: the unsolicited use of your device to mine cryptocurrency. This is becoming a dangerous threat that sometimes targets web systems, while other times infiltrates consumer or enterprise devices.

When a consumer device is targeted by cryptojacking, immediate effects appear because of the mining operation. Sometimes the system performance is not consistent with the expected user workload. Similarly, when the attack targets an enterprise device such as a server, these indicators will be there, although maybe harder to identify. In fact, when the mining script is correctly configured, a throttled CPU usage might be concealed as a slightly higher server usage in accordance with theoretically higher demand. Verifying these facts? Not an easy task.

The purpose of a cryptojacking attack is essentially revenue, so it makes sense that high-value assets (involving significant CPU or GPU resources) will be targeted. Recent reports reveal that manufacturing and financial services industries together constitute more than 55% of the systems affected by cryptojacking attacks (1). In one recent example, the Smominru Monero botnet has produced around $3 million running a mining operation with more than 500k compromised hosts (2).

Several cryptojacking attacks are using steganography, which is used as a mechanism to conceal and deliver the malicious mining script.

With security solutions maturing, bad actors need to think about new strategies to convey the attacks. That’s where “stegware”, malware hidden with steganography, comes in handy. As previously discussed (3), steganography is a very good vehicle for concealing an attack. In the case of cryptojacking, delivering the mining script is all the attacker requires. For that purpose, carriers such as an image file are used to hide the script. Then, taking advantage of either vulnerabilities (or features) already present in the services exposed by servers, the image is planted and the mining script can be executed. This technique is so effective that in some cases, bad actors won’t use actual steganography, just a fake image file, which is enough to bypass security solutions.

In a similar way, web-based cryptojacking attacks are poisoning hundred of websites (by either taking advantage of web server exploits or via “malvertising”) to mine cryptocurrency when a user visits a webpage. Essentially, an image (for example an ad) is placed somewhere so the mining script can be extracted and executed via the user device resources. Fortunately, popular browsers have already implemented measures to detect this activity and shut it down.

But even with monitored devices such as servers, differentiating between a legitimate increased server demand and a cryptojacking attack may not always be that simple. If the mining script is correctly configured, an infected server process using a slightly higher amount of CPU would be on a gray area, but not necessarily spotted as an anomaly.

 Collateral Damage

The fact that a mining script is extensively consuming resources such as CPU or GPU constitutes a potential risk to the system and its components. When devices are stressed by the extra load of mining, CPU, GPU and heat dissipation mechanisms are more active than usual. This increases energy consumption and could rapidly deteriorate system components. Although this is not the purpose of cryptojacking, we can’t ignore the consequences, as it may constitute a sort of “denial of service” when critical infrastructure is compromised. A cryptojacking botnet compromising servers may not disrupt a business, but it surely introduces some challenges to the operation.

Less Headache, More Benefits

In comparison with ransomware, cryptojacking might be more attractive to cybercriminals. Essentially, both attacks will produce revenue. However, while a ransomware attack becomes obvious once the ransom is requested, a stealthy cryptojacking has better chances of being undetected (especially when steganography is assisting the attack). Also, if a cryptojacking attack is discovered, it’s very hard to trace it back to the source, because of the intrinsic anonymity of cryptocurrency. Add to that the fact that the victim may not have enough incentive to go after the author (since “no damage” was produced), and it’s clear why this attack provides more benefits and fewer headaches than ransomware.

Staying Alert

Because no evident damage is produced, fighting cryptojacking requires a trained eye. Look for anomalies related to either performance, overheating, or failing components. The more data you have, the better you will be able to spot an attack. Determining the cause of a device or server being stressed is not easy, but that’s where you should start. Also, other indicators such as unknown processes or unknown images being downloaded can help you trace the path to a mining script.

Leave a Comment

3 × 5 =