Mining rigs on display at the Thailand Crypto Expo on May 14, 2022, in Bangkok. (Photo by Lauren DeCicca/Getty Images)

Researchers on Tuesday found a new type of cryptomining attack in the wild that’s designed to hijack network bandwidth. 

In a blog post, Aqua Nautilus researchers said up to now, cryptominers sought to conduct extensive, complicated calculations to generate cryptocurrency. By doing so, they exploited the CPUs of their targets.

The researchers said these “old school” cryptominers caused a dramatic increase in CPU consumption, while the “new” cryptominer causes only moderate increase in CPU cycles. In addition, the network bandwidth consumption is high. So this technique lets new cryptominers stay under the radar with some security tools because they are sensitive only to high CPU usage and may miss this new cryptojacking tactic.

Aqua’s researchers said they detected the new type of cryptojacking malware targeting its honeypots this past February. The attack came from an account called peer2profit, a name that drew their attention, but the container was tagged by Aqua’s detectors as a cryptominer since it showed a similar behavior.

At first, the researchers didn’t pay much attention to the attack. But later, they saw another attack that leveraged various used mode rootkits to hide the attack. Once they saw that, the researchers decided to investigate the behavior further and noticed a marked increase in network activity. They then conducted further research focusing on peer2profit and found it was targeting PKT Cash, a site that lets users profit from excess bandwidth.  

This kind of attack represents a natural evolution of what we’ve seen for years, said John Steven, CTO at ThreatModeler. Steven said where cloud orchestration or crypto-platforms monetize infrastructure assets, there’s money to be made in stealing their cycles without paying. Steven said the resources attackers target will always be a function of reward over risk.

“As Aqua researchers point out, vendors have begun to commoditize detection of CPU-based resource theft, so that the ‘denominator’ takes risk-weighted reward away from attackers,” Steven said. “At the same time, platforms such as PKT Cash are raising the value of other resources — such as network bandwidth — so attackers can co-opt it without risking detection like CPU… at least until vendors prototype telemetry based on blogs like the one Aqua published.”

Jason Hicks, Field CISO and executive advisor at Coalfire, explained that basically the attackers are taking a cryptomining app that in this case consumes network resources vs CPU and they are using rootkit technology to try and hide the fact that it’s running. Hicks said they then are trying to run it on various cloud service providers environments in the free tier, to mine crypto with free resources.

“It would not be a big leap to try and tuck this into a malware delivery system to get it running on computers in the wild,” Hicks said. “They point out that many of the anti-malware tools detect crypto-mining malware by looking for high CPU use, this tool would not get detected that way. The examples they give are not really an attack targeted at the general public’s computers, it’s more of an attack they are using against cloud providers like AWS and Heroku. I can’t say I’ve seen anything exactly like this before, typically cryptomining attacks focus on getting other people’s systems to give you free compute time. It’s not really something that would lend itself well to the free tier on the various cloud providers.”