How to detect, prevent, and recover from crypto-jacking?
Crypto-jacking is a new kind of threat to users which has caught the attention of those interested in the field of cyber security and this is based on cryptocurrency. It has now become the most common type of cybercrime and keeps spreading throughout the world along with the rise of ‘cryptocurrency’. Cryptocurrency can be earned based on the concept called “mining” and it can be done in an ethical or unethical manner. So, we are talking about the unethical manner of crypto mining is called “crypto-jacking”.
So, what is cryptocurrency?
Let us begin by understanding what cryptocurrency is. So simply, cryptocurrency is digital currency (e.g. Bitcoin, Ethereum) that can be used in exchange for goods, services, and even real money. This digital currency can be purchased or earned via a process called ‘mining’. Mining is a process in which a computer is used to solve complex, encrypted equations which give the miner a certain quantity of cryptocurrency. This mining concept helps to maintain the integrity and security of the blockchain as those equations help to keep track of the whereabouts of the blocks in a given blockchain. Every moment a new block of transactions is appended to the blockchain and the network of computers validate the data by solving complex, encrypted math equations. The people/networks that are engaged in this process and obtain cryptocurrency, as a result, are referred to as miners. After that, for every new block registered, the miner that solved the validation equation first is awarded a certain amount of new cryptocurrency created. Cryptocurrency mining is done that way and nowadays crypto mining is one of the best money-earning methods in the world. So, dedicated crypto-mining farms consist of large arrays of powerful computers to compete for cryptocurrency rewards and rake in billions of dollars every year. But crypto mining uses a large amount of computing power which makes crypto mining somewhat of a demanding task. Because of that, eventually, hackers were interested in cryptocurrency mining using other people’s computers creating what we identify today as crypto-jacking, this is mostly done by black hat hackers who developed malicious software to get the computing power that they need to mine cryptocurrency. Crypto mining has grown in popularity and its returns with the exponential increase in value of cryptocurrencies such as Bitcoin. As a result of increased crypto mining, at the same time these unethical ways of crypto mining methods also vastly increased. So, we need to be concerned and alert about those bad types of crypto mining methods and how to prevent those attacks.
What is crypto-jacking and how it works?
Crypto-jacking is an unethical method of crypto mining. Crypto-jacking works by secretly using your computer’s resources to mine cryptocurrencies for the hackers who control them. So, these kinds of malware are built by black hat hackers for crypto mining because hackers need massive computer power to mine cryptocurrency. But as they do not possess an adequate amount of money to purchase such a large amount of computer power. So, hackers develop malware for crypto-jacking. A crypto-jacker can be defined as malicious software that hijacks a personal computer’s CPU to perform cryptocurrency mining calculations and obtain the mined cryptocurrency. This malicious software reduces your computer’s performance because this malware uses your computer power for crypto mining. But this malware does not harm the operating system or hardware in your computer. The only noticeable change would be the reduction in speed and performance of the device due to which the Crypto-jacking malware is quite difficult to be noticed. But the problem that is you are unable to get maximum throughput from your device. Once it was found out that North Korea was involved in a crypto-jacking incident which can be taken as an example of this happening in a major scale is, “The POE has identified several incidents in which computers infected with crypto-jacking malware sent the mined assets — much of its anonymity-enhanced digital currency (sometimes also referred to as “privacy coins”) — to servers located in the DPRK, including at Kim Il Sung University in Pyongyang. These activities highlight the DPRK’s use of cyber-enabled means to generate revenue while mitigating the impact of sanctions and show that any country can be exposed to and exploited by the DPRK.”
There are two ways of spreading crypto-jacking software on a device identified to be Malicious Applications and Malicious Websites. When considering the malicious applications; victims are being constantly misled by black hat hackers into downloading crypto-jacking software into their computers, using methods similar to phishing attacks. Victims receive an email that appears to be authentic that includes a redirecting link that downloads and installs crypto mining software that runs in the background unknown to the user. And when considering the Malicious Websites; Victims go to a certain website that runs a malicious script or is hosting a malicious advertisement. The script can do one of two things mentioned below:
If the website is being kept open by the user, the user’s computer can be used to actively “mine” for cryptocurrency. This “Drive-by” attack can compromise and implement the malware on any device with a web browser.
The website can use a script to install a malicious application into your device without your knowledge.
The JavaScript code segment shown above is an example of a malicious script that runs when a website is visited by an individual. Once this code executes in the web browser it establishes a ‘WebSocket’ connection between the visitor’s computer and a remote drop-zone server. After that, a target is being sent to the victim’s device which is then used to compute hash functions. Generating such hash functions is an extremely demanding task for a processor. This violates the privacy of the device.
What happens when the crypto-jacking malware attack the device?
Once a crypto-jacking malware starts running in the background of a computer software and hardware struggle to work with the crypto-jacking malware. And the other problem is crypto-jacking uses not only computing power but also the network connection for crypto mining. Because of that crypto-jacking reduces the network connection speed and uses up your data package. It is not a big problem for those who use unlimited data packages, but limited data package users face a lot of difficulties from this problem as obtaining additional amounts of data can turn out to be expensive.
Unlike most other types of malwares, crypto-jacking scripts do not normally cause damage to victims’ data. However, Crypto-jacking does slow down a victim’s computer and internet connection and can cause battery drain. Not only that, crypto-jacking malware can track the location and access all the personal details in your device. It will compromise your privacy. And this crypto-jacking malware targets include any connected device, as an example desktop computer, laptops, tablets, and mobile phones.
How to detect crypto-jacking malware attacks?
Considering about detection of crypto-jacking malware attacks, it is hardly an easy task. Because naturally, crypto-jacking malware does not show any visual attacking process happening in the operating system. That means that the attack is a hidden attack. And that the crypto-jacking attacks can behave like a useful process. So, the victim assumes that to be a useful process and easily ignores the crypto-jacking malware. Because of that, crypto-jacking malware detection is a difficult task. There are three signs to look out for. They are:
1. Reduced performance
When the device runs slower than usual and applications running tend to crash it can be a sign to look out for. Also, with such high usage of the processor and other resources, the device battery would drain rapidly if you were using a laptop.
2. Overheating
We already know that this is a processor-intensive process and therefore the device tends to overheat rapidly as well as the cooling fans would operate at a much higher speed. When a device overheats the battery, life is very badly affected along with the life span of many other components in a computer system.
3. High CPU usage
If you notice that the CPU usage is much higher in relation to the work you are doing, this could also indicate crypto-jacking malware running in the background. We can monitor excessive CPU usage using the task manager. With a major part of CPU capacity allocated for the mining, even the simplest of user-run software would lag when running.
The above are the most common signs that indicate a crypto-jacking attack in order of noticeability.
How to prevent crypto-jacking malware?
Although black hat hackers use a number of methods to attack victim`s computers, the basics of the attacking methods have not changed much. Defensive tactics have also evolved with time as the attacking methods change too. It is important to prevent intrusions and protect our devices from crypto-jacking malware. A number of methods can be used to fulfill this purpose.
Using Anti-virus software that offers protection against cyber-attacks. This could be the easiest and the most sensible option to take as it will offer protection at all times and will keep itself up-to-date automatically without the user having to focus on it.
User awareness plays a key role in this too because it will help avoid certain websites and also help in implementing several defensive measures. This will make the user constantly be on the alert for possible threats and help identify an ongoing attack.
Using strong passwords is another way of preventing outsiders from accessing a device. Usually, it is advised to use characters and numbers other than alphabetical letters and also to use random words rather than an easily predictable word which could be figured out through social engineering.
Using ad blockers and installing a firewall can help a lot with preventing external threats from entering a computer. It blocks malicious traffic. Several operating systems have a built-in firewall.
Other considerable measures would be to change default usernames & passwords, keeping the software and the operating system updated, restricting privileges to applications that might pose a threat, and also being cautious of the sites visited and the files downloaded.
Identifying different types of crypto-jacking malware
In order to be aware of an ongoing attack works and also to prevent one from happening in the future, we need to know how an attack. Here are a few examples of malware that we have already discussed about and how they behave.
1. Wannamine
WannaMine is a sophisticated Monero crypto-mining worm that spreads exploiting the EternalBlue exploit. WannaMine implements a spreading mechanism and persistence techniques by leveraging Windows Management Instrumentation (WMI) permanent event subscriptions.
2. XMRig
XMRig is open-source CPU mining software used for the mining process of the Monero cryptocurrency and was first seen in the wild in May 2017.
3. RubyMiner
RubyMiner is a Cryptocurrency miner that targets Linux and Windows servers. It was found exploiting old Ruby on Rails and PHP vulnerabilities in unpatched websites to mine Monero (XMR), using the legitimate XMRig crypto mining tool.
4. JSEcoin
Web-based Crypto miner designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s approval. The implanted JavaScript uses great computational resources of the end users’ machines to mine coins, thus impacting the performance of the system.
5. Cryptoloot
JavaScript crypto miners, designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s approval. The implanted JS uses great computational resources of the end user’s machines to mine coins, thus impacting its performance.
6. Coinhive
Crypto Miner is designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s approval. The implanted JS uses great computational resources of the end user’s machines to mine coins, thus impacting its performance.
7. NRSMiner
NSRMiner is a crypto miner that surfaced around November 2018 and was mainly spreading in Asia, specifically Vietnam, China, Japan, and Ecuador. After the initial infection, it uses the famous EternalBlue SMB exploit to propagate to other vulnerable computers in internal networks and eventually starts mining the Monero (XMR) Cryptocurrency.
How to recover from crypto-jacking malware attacks?
Before recovering from crypto-jacking malware victims need to detect those malware attacks. Already in previous paragraphs we discussed those detection methods. So, after that detection process is complete, the next step is about how to recover from these types of crypto-jacking malware. There are five-techniques to recover from it,
1. Use anti-virus software
Anti-virus software is not only a malware detection tool but also anti-virus software that can destroy malware function in the operating system. So, if a crypto-jacking malware attack happens to a victim’s device, the victim needs to install anti-virus software and detect those crypto-jacking malware and later deleting that malware.
2. Install a firewall
Some types of web-based crypto-jacking attacks cannot be defended against using anti-virus software. So, web-based crypto-jacking still uses the user’s device processing power for crypto mining. Then still get those types of attacks, Firewall is the best option to block those types of web-based crypto-jacking attacks as it blocks and controls the incoming and outgoing network traffic to and from the device.
Firewalls may be able to prevent some types of attack vectors by blocking malicious traffic before it can enter a computer system, and by restricting unnecessary outbound communications. So, if a crypto-jacking malware attack happens, installing a firewall helps to recover from it.
Nowadays both of these (Firewall and Anti-virus protection) function in one software. So, the victim who does not use prevention methods will definitely end up with the recovery process. Because of that prevention is more important than the recovery step.
