Malware and Cryptominers: An Ideal Couple?

In the past few weeks, researchers have noticed a major increase in the number of malware variants using the computational power of the targets to mine Monero cryptocurrency blocks.

These malware, usually flagged as Trojan.CoinMiner by the antivirus industry, can make a lot of money to their operator.

 

The concept of cryptocurrencies emerged on 2009, when Satoshi Nakamoto released the open-source and digital payment system named BitCoin. It was designed to provide a decentralized mode of operation, where every computer running it (called nodes) were able to trade it, using digital wallets.

All transactions are stored in a public distributed ledger called a blockchain. To verify and allow those transactions, the computational power of supporting network nodes is needed to maintain and update the blockchain, calculating hash blocks. Those are called cryptominers.

When mining is performed, depending of the number of blocks calculated, the owner is granted a reward under the form of a certain amount of the cryptocurrency. The more blocks are calculated, the more the reward is important.

Nowadays many other cryptocurrencies have been developed, but all use the concept of the blockchain.

 

As we saw above, users who make available the power of their computers to support the system are rewarded. So, malware authors have had an idea: why not make the computers they target mine blocks and appropriate the rewards? Trojan.CoinMiner was born.

The approach to infect computers greatly varies and the miner itself may be a simple process launched on startup or use more sophisticated method like fileless malware.

Usually, these malware are mining the Monero cryptocurrency because of its anonymity. The symptom of such an infection is typical: the extreme sluggishness of the computer because the miner is using all its computational power.

 

Coinhive Company developed a miner using the JavaScript language that allows websites to use their visitors’ computers resources to mine blocks as an alternative to ads for funding. Their first version of their script did not ask for user consent and this lead to abuse of the service.

Famous torrent site The Pirate Bay embedded it on their site, which led to massive protestation by the users. More worrisome, many popular sites, like DLINK or CBS, were hacked and this miner inserted into their pages.

 

 

Since, CoinHive changed the way their miner works to make user consent mandatory before starting mining. However, it will be easy for other programmers to develop one acting like the first version of CoinHive script.

 

Malware featuring cryptominers will probably growth in influence in the future, using advanced methods to make themselves more difficult for antivirus to remove them. The longer the stay on the computer is, the more the malware operator is making money. RogueKiller is able to detect most of them and eliminate them.