Drive by Cryptominers: old method new goal.
Drive by Cryptominers: old method new goal.

As cryptocurrencies grow in value researchers have taken note that cybercriminals are adapting old drive-by download-style attack methods to mine cryptocurrencies instead of using them to inject traditional malware leading some to believe it's an alternative to more devastating attacks.

Silent Monero miners and other cryptocurrency miners have grown in popularity in the second half of 2017 and have been used on site as companies ranging from Showtime to Pirate Bay.

These same methods were once used to download malware and now are being used to download cryptominers leading Palo Alto researchers to believe at least some cybercriminals are starting to view these attacks as a better business proposition than the traditional practice of loading malware on the victim's system via drive-by downloads, Palo Alto researchers said in an October 17 blog post.

Researchers analyzed more than 1,000 sites that employed these attacks and found that five of the sites ranked in the top 2,000 of sites, 29 sites in the top 10,000 and 155 sites in the top 1 million, according to Alexa ratings. Furthermore, they found that these malicious and compromised sites resolved to 47 different counties with the majority being in the United States, the report said.

The majority of identifiable victims came from the eastern and western parts of the U.S, and of the malicious and compromised domains that were spotted, .download and .bid domains accounted for the majority, comprising more than 35 percent of these sites. .com and .review tied for 3rd with 13% of the sites each.

“This is such a new development that it's still getting its footing,” senior threat communications manager Christopher Budd said. “One particularly interesting angle for future developments is the impact of cryptocurrency prices on this.”

Budd added it's important to keep in mind that the high prices of cryptocurrencies are driving this activity and that presumably these attacks would stop if there were a significant drop in value and that we can expect to see more aggressive attacks if the values increase.

Although cryptocurrency mining attacks have existed since at least 2013, Recorded Future researchers noted the cryptocurrency miners enjoyed a surge in popularity during the second half of 2017 with malicious vendors offering various types of mining malware with a variety of functionalities, according to their Mining Malware: Signals of a Shift in Cybercrime report.

In some cases, developers added various key-logging and data intercepting functionality to address consumer demand. One variant in particular called “1ms0rry MINERPANEL” came in packages ranging from $35 to $850 with basic version offering bare bones functionality and higher-end versions featuring the source code for the malware expanding customization options.

Recorded Future researchers identified 62 different types of mining malware offered for sale across the criminal underground however, due to low productivity of individually infected machines, the majority of all currently available miners will only target x64 systems, the report said. The uptick in cryptomining activity and availability of the software may have geopolitical consequences as well.

“While we have not identified any North Korea-specific cryptocurrency mining malware, North Korean threat actors have experience in altering publicly available tools, managing botnets, and procuring cryptocurrency both legally and illegally,” researchers said. “These skills lead us to conclude that North Koreans will likely employ this technique in the near future, if they haven't already.”

Researchers noted it's important to remember that not cryptocurrency miners are malicious as long as there is proper knowledge and consent of the user whose machine is infected.