Study: More than 5 Percent of Monero Cryptocurrency was Mined by Malware

Unauthorized cryptocurrency mining has been one of the major malware trends this year, with attackers managing to mine more than 5 percent of Monero coins currently in circulation using abused devices.

Researchers from Palo Alto Networks have analyzed around 630,000 samples of cryptocurrency mining malware captured by the company’s systems over the past few years and extracted the wallet IDs and mining pools used by attackers.

By far, Monero (XMR) was the most targeted cryptocurrency, being mined by 531,000 of the samples. Monero has better anonymity than Bitcoin and many other cryptocurrencies, making it a favorite for cybercriminals. It’s also much easier to mine than Bitcoin on commodity hardware.

The researchers extracted 2,341 Monero wallet IDs and matched them to the mining pools used by the cryptocurrency mining malware. Most of those mining pools provided statistics based on wallet IDs, so it was relatively easy to determine how successful the attackers were. They mined a total of 798,613.33 XMR.

“One interesting note about the figure above is that the total Monero represented roughly 5% of all Monero in circulation at the time of writing,” Josh Grunzweig, a senior malware researcher at Palo Alto, said in a blog post. “This of course doesn’t take into account web-based Monero miners, or Monero miners that we do not have visibility into. As such, we can assume that the actual percentage of Monero in circulation that was mined via malicious activity is actually higher.”

Considering an exchange rate of $180 for 1 XMR, the attackers managed to mine the equivalent of $144 million. However, it’s worth noting that only 55 percent of the analyzed wallets earned 0.01 XMR or more and, of those, only 244 wallets, or around 10 percent, have earned 100 XMR or more. Furthermore, only 99 wallets earned more than 1,000 XMR and 16 wallets earned more than 10,000 XMR.

This shows that, while overall Monero mining seems very lucrative, in practice the number of criminal groups that manage to actually mine a significant amount is pretty small.

The total hashrate, which indicates the mining power, across all wallets was roughly 19MH/s. This would result in total winnings of around $30,000 per day, given Monero’s network current mining difficulty. However, according to their individual hashrates, the top three wallets would have earned their owners $2,737 per day, $2,022 per day and $1,596 per day, respectively.

“Defeating cryptocurrency miners being delivered via malware proves to be a difficult task, as many malware authors will limit the CPU utilization, or ensure that mining operations only take place during specific times of the day or when the user is inactive,” Grunzweig said. “Additionally, the malware itself is delivered via a large number of methods, requiring defenders to have an in-depth approach to security.”

Improper Code Signature Checks Allows Malware to Trick Mac Security Products

Many third-party security products did not use macOS’ code-signing API properly when checking the digital signatures of certain executable files. This could have allowed attackers to trick those applications to believe that malicious code was signed by Apple.

The vulnerability concerns the signature verification for Fat/Universal files, which can contain bundles of other Mach-O executable files. It was found by Josh Pitts, a researcher with identity firm Okta.

To exploit the flaw, attackers can create a Fat/Universal file in which the first Mach-O file is signed by Apple, but a secondary malicious file is “adhoc” signed. The bundle file’s header must also specify an invalid CPU Type for the exploit to work.

“Without passing the proper SecRequirementRef and SecCSFlags, the code signing API (SecCodeCheckValidity) will check the first binary in the Fat/Universal file for who signed the executable (e.g. Apple) and verify no tampering via the cryptographic signature; then the API will check each of the following binaries in the Fat/Universal file to ensure the Team Identifiers match and verify no tampering via containing cryptographic signature but without checking the CA root of trust,” Pitts said in a blog post.

Affected applications included VirusTotal’s scanner, Google’s Santa and molcodesignchecker, Facebook’s OSQuery, Objective Development’s LittleSnitch, F-Secure’s xFence, various applications by Objective-See (WhatsYourSign, ProcInfo, KnockKnock, LuLu and TaskExplorer), Yelp’s OSXCollector and Carbon Black’s Cb Response. The creators of these applications were notified in advance and issued patches.

“However, more third party security, forensics, and incident response tools that use the official code signing APIs are possibly affected,” Pitts said.

The researcher’s blog post contains a detailed explanation of the issue and proof-of-concept code that should allow developers to determine if their security applications are affected.

Lucian Constantin

Featured eBook
Identifying Web Attack Indicators

Identifying Web Attack Indicators

Attackers are always looking for ways into web and mobile applications. The 2019 Verizon Data Breach Investigation Report listed web applications the number ONE vector attackers use when breaching organizations. In this paper, we examine malicious web request patterns for four of the most common web attack methods and show how to gain the context and ... Read More
Signal Sciences

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin