Death Of Coinhive: Status Of Cryptojacking Malware
The age of ransomware is slowly ending, not because it is losing steam, its authors continue to earn profit from poor victims that do not have an effective backup system to restore their locked files. Ransomware era is ending, because virus authors want to switch to a better technique in earning money through the use of “silent treatment” this time. This is where cryptocurrency mining malware or cryptojacking virus comes into the picture. It is as effective as ransomware in generating income for the virus authors, without the hassle of revealing its existence to the users.
Cryptojacking malware accomplishes its task of revenue generation by stealing CPU/GPU cycles from the infected device, and use the stolen cycles to attempt resolving crypto hashes. Which in turn will produce cryptocurrency in the form of Monero, Ethereum or other lesser known cryptocurrency. Bitcoin is no longer used for mining, given that the hashing complexity is now too much for a typical ASIC, let alone a standalone PC to mine.
There are a few ways that a device gets infected by a cryptojacking malware. Here are some of the examples:
- Drive-by Download (DBD) attacks are attacks that cause a malware infection without knowing just by browsing a website. The redirect operation and malware download operation are not displayed on the screen, and it is characterized that the user does not notice the attack until the malware infection.
- An attacker falsifies a legitimate web site and embeds the URL of a fraudulent site with iframe etc.
- The user accesses the tampering site
- Redirect the user to an unauthorized site by tampering code (iframe etc.)
- Take advantage of user browser and other vulnerabilities on malicious sites and take over control .
- Force attacker to download and execute malware.
- Malware runs, attempting to mine a cryptocurrency variant.
- Drive-by Mining (DBM) is an attack in which an attacker modifies a legitimate site, embeds a mining script such as Coinhive, and causes a viewer of that site to perform mining.
- Attacker tampers with legitimate website and embeds mining code such as Coinhive
- User accesses tampering site
- Execute mining on user’s browser
- Mining reward becomes attacker
With Drive-by Mining there is no need to exploit vulnerabilities or download malware, so it takes less effort than DBD attacks. Furthermore, there is no attack code that can exploit vulnerabilities, and mining software itself is difficult to detect from anti-virus software etc. because it does not exhibit “typical virus behaviors”. In addition, insertion of malicious code in a site is difficult to detect, because it is difficult to determine from the outside whether the mining script has been intentionally embedded by a website administrator or tampered with by an outsider.
The good news for everyone is Coinhive’s business was shut down a few days ago. This is welcome news, as many cryptocurrency malware authors used the service for their own selfish ends, earning money from innocent users through their infected devices. Cryptocurrency mining malware that was developed using Coinhive as their service needs to be reprogrammed. Infected machines are no longer attempting to mine malware until a new version using an alternative to Coinhive is used.