Cybercriminals Evolving to become Sneaky Cryptocurrency Miners for Monetary Gain

Cryptocurrency mining is THE money-for-nothing scam for cybercriminals at the moment. The current prices of crypto coins are stratospheric compared to what they were several months ago, and, naturally enough, crooks want to capitalize on that.

They could set up their own hardware, install some miners, and do it the legal way. As we all know, however, they don't tend to do things according to the law. That's why they sneak mining software into the computers of unsuspecting users and harness the power of their machines to generate digital money. The result for the user is a severely crippled performance, inflated electricity bill, and, in extreme cases, hardware damage.

Cybercrooks Quickly Jumping Onto The Cryptocurrency Bandwagon

Cryptocurrency theft, it's a growing threat. Back in September, researchers noted that during the first eight months of 2017, they detected more than 1.6 million PCs which had miners installed on them without the user's consent. Since then, we have seen new cryptocurrency mining attacks on an almost daily basis. One of the latest ones was also described on the Kaspersky Securelist blog yesterday.

It appears to be mostly aimed at Russian users who don't like paying for software. Domains like thefinereader[.]ru, theadobepremiere[.]ru, theopenoffice[.]ru, theoutlook[.]ru, etc. were registered and, as the domain names would suggest, the websites were designed to socially engineer victims into thinking that they're about to download either free or cracked versions of some popular software programs. The crooks didn't put too much effort into the design, by the looks of things. The screenshots took by researchers show that the websites were quite generic, and they couldn't even be bothered putting different themes on them.

With most cyberattacks, the victims don't get what the social engineering tells them they'll get. With this one, however, they do.

The attackers put up some cracked versions of premium software which they sourced from torrent trackers, and for good measure, they also brought free programs like Open Office to the users' attention. Everything downloaded from the websites was functional. What users didn't know was that a stealthy mining component, a variant of the NiceHash miner programmed to mine Zcash in the case Kaspersky analyzed recently, was packed inside the installer. It was installed automatically and hidden in plain view inside a newly created folder on the C:\ drive. Then, a shortcut pointing to the miner's executable was put in the Startup folder which ensured that mining cryptocurrency starts as soon as the PC boots up.

In addition to the miner's executable, there were several TXT files containing information on the mining pool and the wallet the money should be sent to. A couple of batch files ping the Command & Control (C&C) server periodically to ensure that the information is always up-to-date.

Other miners Kaspersky detected during the campaign worked slightly differently, but the ultimate goal was the same – mining cryptocurrency at the expense of unwitting users. But how much did the miner operators manage to gain from the whole thing?

Cryptocurrency Mining Gone Rogue

Some of the pools provide statistics on the contents of the wallets. Through them, Kaspersky found out that around $3,400 worth of cryptocurrency has been generated during the campaign. Not a bad paycheck considering the minimum effort exerted by the hackers, but there could be many other wallets, the content of which remains unknown, so we'll take this as a conservative estimate.

As you can see, sneaking cryptocurrency miners into people's computers without their consent is proving to be a profitable business. The huge number of new attacks that researchers discover every day prove this and the NiceHash campaign detailed by Kaspersky shows that they could come from a variety of different sources.

If we must look at the bright side of things, we'd probably point out that having your PC hijacked to mine cryptocurrency isn't the most disruptive thing that could happen to you. We'd probably also mention that for people trying to download pirated software without acknowledging the risks, this whole experience probably proved to be quite educational.