The era of “gold rush” in the cryptocurrency niche is long gone, and cybercrime has responded accordingly. Cryptocurrency mining using malware is now profitable only on a very large scale, so virus writers are trying in various ways to expand their activities and increase profits. Trend Micro conducted research on the activities of such groups and shared preliminary results with us.
What are the dangers of cryptomainers?
Cryptocurrency mining is much less profitable than stealing confidential information and spreading ransomware, so the main target of cybercriminals is not infected end-user machines, but cloud services. Monero (XMR) cryptocurrency is the most popular among cybercriminals, because it allows for maximum return when mining using CPUs compared to other cryptocurrencies. The choice is also explained by the fact that most cloud services do not provide access to GPUs and the resources of a regular CPU become the only mining tool. At the same time, groups are actively competing with each other: IT security experts compare this struggle for resources with cyber tournaments of the category Capiture the Flag. Trend Micro analyzed the activities of Outlaw, TeamTNT, Kinsing, 8220, and Kek Security, which are most active in attacking cloud services.
Moving infrastructure to the cloud is an obvious trend in recent years, as such migration allows companies to save significant money on hardware and its maintenance. At the same time, the deployment of cloud services requires costs for their configuration and administration, above all to ensure security. Many firms save money on this as well. A significant number of system administrators are familiar with on-premises infrastructure protection tools such as firewalls and anti-viruses, but these professionals face a lack of knowledge and practice when it comes to cloud services. In addition, if no monitoring and logging tools are installed and configured in the cloud, the administrator does not get the same amount of information available to him on the local system, so he might not notice an attack. The logical result is hacking, and using a compromised cloud for mining cryptocurrencies is often the least of all possible evils.
Since many cloud services have a standardized configuration and default settings are not a secret (and are also well documented), attackers do not need to spend too much effort on reconnaissance and hacking, nor do they need any sophisticated tools. On the one hand, it seems that infiltrating a cloud system with a Trojan-miner does not pose a serious threat because it does not lead to a data leak or compromise the integrity of the infrastructure. On the other hand, it will lead to a slowdown of services, dissatisfaction and customer outflow, and, as a result, a drop in profits. And if the system is vulnerable, there is nothing to stop attackers from exploiting this vulnerability in a more destructive way.
Research on Monero crypto-mining
For research purposes, Trend Micro experts installed Monero mining software – XMRig – on a test cloud server, concurrently loaded with other tasks, and noted an increase in CPU load from 13 to 100%. In monetary terms, this means an increase in the cost of renting such a server from $20 to $130 per month.
Simultaneously with the growth of CPU load also increases the amount of network traffic, but the cost is insignificant against the background of overall costs.
It is not uncommon for access to a compromised cloud server to be offered for sale by cybercriminals, and for the miner to be uploaded to the cloud while the product is “waiting for its customer”. Therefore, the detection of such a Trojan is a very bad sign. In most cases, it is the last chance to deal with security issues before attackers use the compromised server with some other bad intentions.