What is Crypto-jacking?
With the ever-volatile state of crypto. Finance enthusiasts and crypto-bros will always be stimulated enough to talk and hype it up.
In this post, I'm going to bring to light a little about what crypto-jacking is and how it can be prevented, as well as look at some ransomware trends with regard to crypto-jacking.
ALDI Coin
So you've been wanting a bit more cash on the side and thought about investing some of your cash. You're at work and you get an email containing a link about the next viral alt-coin.
"ALDICOIN to hit $30k!"
"BuY lOw SeLL HiGH"
"ALDICOIN to the moon FTW!"
So you open the link to find out more about it, check out the site. It looks a bit dodgy but nothing too alarming. Never mind, you decided to just buy some stock in the S&P 500 instead. You're computer begins to act suspiciously slow now...
Little do you know, aldicoin[.]com just loaded a mining script onto your device without you realizing it and is using heavy computing power to mine Monero.
What is Cryptojacking?
Cryptojacking is a type of malware that is designed to hijack a victim's computer or mobile device to mine cryptocurrencies. The malware is typically distributed via phishing emails, malicious websites, or unpatched software.
While crypto jacking can appear as a simple attack vector, it is often used in conjunction with ransomware delivery methods, cryptojacking could be used as a decoy to detract attraction from more serious threats.
The new M.E.T.A
Just as a company would adopt new technologies or change direction for growth, hackers will also follow suit, "changing careers" that they feel are more effective or lucrative. The new META if you will.
We are likely going to see Cryptojacking attacks on the rise. Cybercriminals are becoming innovative and hungry for change. The number of crypto-jacking attempts in 2021 rose to 91 million, an increase of 19% year-on-year.
In January 2023, the threat group, Automated Libra used automation to create 130,000 free trial accounts on cloud platform services.
Automated Libra is a South African-based crypto-jacking group that targets cloud platforms offering limited-time trials of cloud resources in order to perform their crypto-mining operations.
META: Most Effective Tatics Available - The most optimal way to play the game to maximize the chances of securing a victory.
The threat group AstraLocker (a subsidiary of Babuk) has even gone as far as to say they are going to exit the ransomware business and turn to crypto-jacking.
They did this by posting a ZIP File containing the decryption keys to all of their malware on VirusTotal!
It is a smart move for Ransomware gangs, to begin adopting crypto-jacking techniques, particularly those that are financially motivated.
It's low risk and it incentivizes staying undetected on the victim's machine for as long as possible, remaining inconspicuous, and making money slowly under the radar.
In 2021 Alibaba, the Chinese e-commerce giant, had its Amazon ECS Instances hijacked. The attackers compromised authentication on AWS, disabled features, and began mining Monero Coin.
👉 if you enjoyed reading this post, feel free to subscribe and share it with your mates!
Sure but what is it capable of?
Even though malicious crypto mining may not be seen as detrimental as ransomware, it can still punch a big hole in your operations, especially when it's left undetected for a long time! Attacks can result in both indirect and direct losses to a company. Some of which include:
Increased electrical consumption on the hardware can contribute to the aging of the machine/device. If prolonged, overconsumption can even cause the batteries of infected devices to expand to the point of complete deformation.
Increased bandwidth consumption on the network which can contribute to slower general workloads
Complex scripts can be written and deployed that enabled them to search and spread laterally across the network abilities that let them infect other servers and devices on a target network. Maintaining persistence on a network is in the best financial interest of a crypto-jacker.
Attack Methods
There are 2 common methods of delivery with crypto-jacking.
Host-Based - Install malware directly on the victim’s computer. This can be done through a variety of methods, such as sending the victim a malicious email attachment or using a fake antivirus app or game that contains the malware.
Web-browser/Drive-by - An attacker will use a website or online ad to deliver the malware to the victim’s computer. The victim visits the website or clicks on the ad, malware is automatically downloaded and installed on their computer. This type of attack is known as “drive-by crypto-jacking” because the victim’s computer is compromised simply by visiting a website.
In both strategies, the code executes complex mathematical problems on the target computer and passes the output to a C2 server controlled by the hacker.
Detection and Mitigation
The first thing to consider is the principle of Least Privilege, this should be implemented anywhere possible. Should David from HR really need to open up a terminal to unzip a file?
Additionally, installing ad-blockers and any verified anti-crypto mining browser extensions (relative to company policy on 3rd party applications).
From an analyst standpoint, it is crucial for individuals in the company to understand these TTPs in order to inform and implement the correct measures.
EDR Protection can give valuable insight into detecting miners, rules can be put in place to detect behaviors such as unusually sized packets leaving the network, increased data transfer, and unusual communication with servers outside the organization.
👉 See you next Monday! Don’t forget to subscribe!