Written by David Balaban
Online criminals follow the trends and the money. They used to love adware, then ransomware, and now the new growingly popular cryptojacking has gotten into their spotlight. Cryptojacking appeared in late 2017 when Coinhive presented their JS library as a new method for websites to monetize their traffic.
Cryptojacking is a type of attack during which a criminal hacker hijacks a victim’s processing power to mine cryptocurrency on the hacker’s behalf. Coinhive authors used Monero (XMR) as this coin’s algorithm perfectly fits their needs – most victims are ordinary users that are tricked to mine crypto using their laptops and mobile devices.
But these days the cryptocurrency community is witnessing revolutionary changes that might challenge the dominant status of Monero in the cryptojacking ecosystem. Electroneum (ETN) is a relatively new player that splashed onto the scene in fall 2017 and has reached enviable heights over just six months. One of this coin’s competitive advantages is the focus on mobile users, which potentially extends the project’s reach to hundreds of millions of people around the world.
Similarly to Monero, the architecture of Electroneum is based on Cryptonight, a proof-of-work hash algorithm tailored for mining with CPUs, while GPUs can also be leveraged with somewhat less output.
Electroneum crypto-mining attacks
Some of the recent cryptojacking vectors rely on malware that slithers its way into Windows PCs and servers and harnesses the hosts’ resources to mine ETN. This article will dissect these attacks and provide some speculations on why the threat actors might be repurposing their malicious code to mine Electroneum.
One of the early large-scale cryptojacking campaign involving Electroneum took root in January 2018. Its architects use a piece of malware dubbed Bvhost.exe Miner. The culprit is making the rounds via the RIG exploit kit. With this distribution tactic in place, Windows users get infected when visiting a compromised website.
When on board, the Bvhost.exe malware connects to ETN mining pools and commences the backstage mining activity. Meanwhile, the host’s CPU consumption skyrockets to more than 90%, which keeps the processing unit permanently hot and causes critical system slowdown issues.
- Failed cryptojacking campaign using Dofoil malware downloader
In an outrageous move, cybercriminals attempted to contaminate more than 400,000 Windows computers with an Electroneum miner in March 2018.
The malicious agents leveraged a malware downloader known as Dofoil to spread the miner. They mostly targeted users in Russia (73%), Turkey (18%) and Ukraine (4%). The mining component was disguised as a Windows process named wuauclt.exe.
When executed, the malicious miner does not utilize CPU throttling and therefore consumes all of the available processing resources to mine Electroneum coins.
Thankfully, Windows Defender’s machine learning models successfully identified this suspicious behavior within minutes and blocked all the attempted attack instances.
- Attacks via notorious remote code execution vulnerability
An old security flaw in Apache Struts servers cataloged as CVE-2017-5638 used to be an entry point for malware. In March 2018, researchers discovered instances of this remote code execution vulnerability being retooled to infect Windows-based Struts servers with an Electroneum mining application.
To facilitate the incursion, the perpetrators have managed to weaponize the Windows command-line tool called certutil. This way, a cross-platform entity called CPUMiner-Multi is downloaded onto a server in base64 encoded format, which adds an extra antivirus evasion layer to the compromise. The crypto mining process proper is a binary named mssearch.exe. It boasts a stealth mechanism where the executable is terminated whenever the victim opens the Task Manager to see what’s eating up their machine’s resources.
To stay on the safe side, server owners should simply patch the above-mentioned vulnerability.
- Miner injection technique that echoes from the past
Another furtive Electroneum mining campaign broke out in mid-April 2018. To pull off the attacks, the hackers use a security flaw in Windows IIS 6.0 codenamed CVE-2017-7269. This vulnerability was discovered in March 2017 and affects old operating system releases, including Windows XP and Windows Server 2003.
The miner application is camouflaged as the legit Windows process named lsass.exe, which denotes Local Security Authority Subsystem Service. This way, the attackers ensure it flies below the radar of antimalware suites.
This is a nontrivial question. One of the theories is that the recent hard fork of the Monero blockchain, which has spawned five new projects, might pose mining complications and security risks for users. This ramification has reduced the hash power on both the old and new blockchain, therefore mining Monero might be getting more resource-heavy.
Another concern is that moving XMR coins on both blockchains makes it possible to attribute these transactions to the same user. With that said, Monero continues to be the cryptocurrency of choice for most cryptojacking agents, although Electroneum-related attacks are gearing up for a rise.
No matter how you slice it, rogue crypto-mining is a disconcerting phenomenon. The online perpetrators behind these campaigns stealthily exploit other people’s computers to make money, and it doesn’t really matter to the victims which cryptocurrency is being mined – Monero, Electroneum or any other. The symptoms in this scenario are obscure and boil down to high CPU usage, so it’s worthwhile peeking in Task Manager once in a while to check for fishy, resource-hungry processes.
It remains to be seen whether Electroneum will become the new mainstay of the malicious mining ecosystem, but there is an evident trend toward an upswing of these attacks.