The MikroTik Cryptojacking is a crypto jacking campaign that is targeting computer users in Brazil and infecting MikroTik routers. The MikroTik Cryptojacking attacks are using Coinhive to attack computer users. This malware works on the victim's Web browser, forcing the victim's computer to mine for cryptocurrency. The cryptocurrency mining uses up the affected computer's resources, causing it to slow down, lag frequently, and overheat, as its resources are being used to mine for digital currency rather than for the computer's normal operations.
Table of Contents
Why You should Avoid a MikroTik Cryptojacking Infection
The MikroTik Cryptojacking campaign was first observed in Brazil. Although it is clear that the first stage of the MikroTik Cryptojacking attack began in Brazil, however, PC security researchers have seen MikroTik routers become compromised with this the MikroTik Cryptojacking campaign all around the world. The MikroTik Cryptojacking campaign one of the most successful malware campaigns of its type due to the number of infected devices it affected globally. The first stage of the MikroTik Cryptojacking campaign, centered in Brazil, compromised 72 thousand routers in that country. The MikroTik Cryptojacking attack, at the time of writing, has compromised nearly 200 thousand routers around the world. However, the MikroTik Cryptojacking attacks may affect a way larger amount of devices since there are nearly 2 million MikroTik devices visible online, which could be potential targets, making it likely that the MikroTik Cryptojacking campaign will only grow in the future.
The Zero-Day Exploit Associated with the MikroTik Cryptojacking Campaign
Zero-day exploits are vulnerabilities detected at the time of launch before protections can be released by malware researchers or software and hardware developers and manufacturers. The criminals responsible for the MikroTik Cryptojacking campaign are using a zero-day vulnerability that was first announced in April 2018. These attacks are exploiting a vulnerability in these devices that was unknown previously. Malware researchers have noted that this vulnerability affected Winbox, a component in these routers. MikroTik responded to reports of this exploit by patching the vulnerability almost immediately. However, most computer users may not bother to update their hardware regularly, meaning that many devices around the world are vulnerable to the MikroTik Cryptojacking attacks currently.
How the MikroTik Cryptojacking Vulnerability Became Widespread
Once the zero-day vulnerability associated with the MikroTik Cryptojacking was known, various proof-of-concept versions of malware was released on public platforms. It is very likely that the criminals used one of these available proof-of-concept programs to create their own malware. Using this vulnerability, the criminals can take over the victim's router, altering the network traffic passing through the router and injecting a copy of Coinhive into all websites that are delivered through that router. One especially worrying aspect of this attack is that the injection works both ways, rather than only on affected computer users. This means that if a website is located on a local network and is using a MikroTik router, then that website also will become compromised with Coinhive.
Some Particularities of Coinhive
Coinhive is the cryptocurrency mining component of the MikroTik Cryptojacking attack. It has been observed in other attacks before. That digital currency is legitimate entirely, and computer users can use their machines to mine these resources. However, criminals carrying out attacks like the MikroTik Cryptojacking will take over the victim's computer and use it without permission to carry out the mining operations, which consumes significant system resources, including memory and processing power. The computers compromised by these attacks will display several symptoms that could alert them that something is wrong. Symptoms of the MikroTik Cryptojacking may include slow website loading times, poor system performance and instability. Affected computers also will tend to overheat or run at high temperatures with excessive fan activation.