Threat Spotlight: Cryptocurrency Malware

Introduction

Cryptocurrencies such as Bitcoin, Ethereum, and other altcoins have seen an increase in popularity and adoption among users and service providers. This has resulted in increasing appreciation of value in the last six months (Figures 1 & 2). Market capitalization of these virtual currencies is now pegged at around $100B (Figure 3) and continues to rise with Initial Coin Offerings (ICO) going on to fund developments of projects related to cryptocurrency.

Figure 1. Trend of Bitcoin (BTC)

Figure 2. Trend of Ethereum (ETH) Price

Figure 3. Market Capitalization of Virtual Currencies

This vast market certainly hasn’t gone unnoticed by miscreants and cybercriminals, who have already set their sights on these virtual assets as potential targets.

There are various ways one can get hold of cryptocurrency. Two legitimate ways include:

  1. Buying cryptocurrency from online exchanges such as Coinbase, Poloniex, Bittrex, Waves etc.
  2. Running cryptocurrency mining software

On the other hand, malware authors usually employ the following illegitimate and/or illegal tactics:

  1. Distributing ransomware and getting paid with cryptocurrency
  2. Use cryptocurrency-stealing malware that targets digital wallets
  3. Compromising systems and using those resources for cryptocurrency mining

Cryptocurrency-Mining Malware

Here is some notable malware that has been found compromising systems and delivering payloads with cryptocurrency mining capabilities:

Malware Worm (Miner-C/NeksMiner.A/NightMiner-Config)

A SophosLabs researcher reported a cryptomining malware found on NAS servers back in August 2016. This malware could propagate even on mapped network shares and open file servers. Another malware sample from this variant shows that it has been active since 2015.

SHA256:

8bee95131ae47d9a5e3c8cccceaaad7e5567eac66ae7c0d875c9a57d3fc7acef

Filesize:

4.46MB

Like the one reported, this malware is packaged with NSIS and disguises itself by using a folder icon. If the system is set to hide file extensions from known file types (as shown in Figure 5), it can easily be mistaken for a folder. This may (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Cylance Threat Guidance Team. Read the original post at: Cylance Blog