Earlier this month we discussed mining malware and how crypto’s popularity might have an effect on it’s usage. Well, a report from Check Point has found that 55% of businesses worldwide are now affected by crypto-miners. Hijacking a consumers GPU without their knowledge will reflect badly on your company and in turn damage your reputation. Being aware of the current threat landscape puts you in the drivers seat when keeping your website secure, so let's take a look.
Mining malware is able to manipulate a computers graphic processing unit (GPU) and use it to mine cryptocurrencies for them. In October 2017, Trustwave’s Spiderlabs brought to light that the ‘Coinhive’ miners can sometimes use 100% of a computers central processing unit (CPU power).
Cryptocurrency miners are being intentionally placed into some popular websites, including media streaming websites and file sharing services. Whilst some of the activity is legal, it’s still being implemented without notifying users. Not to mention, the tools can be hacked to sap a user’s PC of more power to increase the revenue gained.
Maya Horowitz, Threat Intelligence Group Manager at Check Point has commented on the findings:
“Users are increasingly distrusting pop-up and banner adverts and using ad-blocking software, so websites are increasingly using crypto-miners as an alternative revenue source – often without the knowledge or permission of users, whose machines are being harnessed for mining.”
“As a result, threat actors are also using crypto-mining tools to drain even more of users’ computing power for their own gain, and it’s likely we’ll see this trend continue to rise over the coming months.”
Mining malware ‘Coinhive’ has taken top spot in Check Point’s Top 10 ‘Most Wanted’ malware, with two other mining malware strains at positions 3 and 10. As outlined in their blog post, here are the current ‘Top 10’:
- Coinhive – Crypto-Miner designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s approval. The implanted JavaScript uses great computational resources of the end users machines to mine coins, thus impacting the performance of the system.
- Rig ek– Exploit Kit first introduced in 2014. Rig delivers Exploits for Flash, Java, Silverlight and Internet Explorer. The infection chain starts with a redirection to a landing page that contains JavaScript that checks for vulnerable plug-ins and delivers the exploit.
- Cryptoloot - Crypto-Miner, using the victim’s CPU or GPU power and existing resources for crypto mining – adding transactions to the blockchain and releasing new currency. It is a competitor to Coinhive, trying to pull the rug under it by asking less percents of revenue from websites.
- Roughted– Large scale Malvertising used to deliver various malicious websites and payloads such as scams, adware, exploit kits and ransomware. It can be used to attack any type of platform and operating system, and utilizes ad-blocker bypassing and fingerprinting in order to make sure it delivers the most relevant attack.
- Fireball– Browser-hijacker that can be turned into a full-functioning malware downloader. It is capable of executing any code on the victim machines, resulting in a wide range of actions from stealing credentials to dropping additional malware.
- Globeimposter– Ransomware disguised as a variant of the Globe ransomware. It was discovered in May 2017, and is distributed by spam campaigns, malvertising and exploit kits. Upon encryption, the ransomware appends the .crypt extension to each encrypted file.
- Ramnit-Banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.
- Virut– Botnet that is known to be used for cybercrime activities such as DDoS attacks, spam, fraud, data theft, and pay-per-install activities. It spreads through executable file infection (through infected USB sticks and other media), and more recently, through compromised HTML files (thus infecting vulnerable browsers visiting compromised websites)
- Conficker– Worm that allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.
- Rocks – Web based Crypto-Miner, which hijacks the victim’s CPU and existing resources for crypto mining.