A significant malware trend in 2018 is the relatively new “crypto-jacking,” involving hacker groups infiltrating victim computers to mine cryptocurrencies. The most affected of the lot is privacy-protocol Monero, as research found out.
Monero – The Hacker’s Favourite Coin
Palo Alto Networks researchers scrutinized 630,000 fraudulent instances of cryptocurrency mining and determined the mining pools and wallet IDs allegedly used by attackers.
From the total, researchers noted 531,000 instances of mining XMR, making the privacy-centric protocol the most unfortunate victim of all observed cryptojacking.
In recent times, the digital currency has gained relevance in the darknet market due to its better anonymity features than pioneer bitcoin. However, the fame has attracted cybercriminals to conduct attacks on the Monero protocol, and its ease of mining with GPU devices adds to the charm (for hackers).
For the report, researchers extracted 2,341 Monero wallet IDs and matched them to the mining pools known to be used by mining malware. As the blockchain provides transaction data based on wallet IDs, researchers easily identified a total of 798,613.33 XMR mined by hackers, equivalent to $96.7 million at the time of writing.
However, the actual number may be even higher, as stated by Josh Grunzweig, a senior malware researcher at Palo Alto, in a blog post:
“One interesting note about the figure above is that the total Monero represented roughly 5% of all Monero in circulation at the time of writing. This doesn’t take into account web-based Monero miners, or Monero miners that we do not have visibility in. As such, we can assume that the actual percentage of Monero in circulation mined via malicious activity is higher.”
Only a Few Hackers with Large Stolen Hauls
While the fraudulent mining of Monero may seem lucrative, statistics revealed otherwise.
55 percent of analyzed wallets earned less than 0.01 XMR, and only 10 percent of all wallets earned more than 100 XMR. Over 99 wallets made away with 1,000 XMR, and 16 wallets earned more than 10,000 XMR.
Grunzweig explained that malware authors limit CPU utilization of their fraudulent software to prevent raising immediate red-flags by common security programs. Furthermore, hackers specify the program to run at times when the user is inactive. Hence, the total hashrate for fraudulent mining is an average of 19MH/s, resulting in a maximum earning of $2,737 per day for the most successful attackers.
Malware Tricks Security Products
The researchers ascertain attackers were successfully able to trick several existing and commonly used security software.
In particular, third-party security applications running on Apple’s MacOS were exposed to fraudulent mining software due to the former circumventing mandatory code-signing APIs. As a result, attackers could create a set of universal files in which is signed by Apple, and the second malicious file is signed “ad-hoc.”
Among the affected applications were Google’s molcodesignchecker, Facebook’s OSQuery, Objective Development’s LittleSnitch, and Yelp’s OSXCollector. However, the companies were notified of the loophole, and security patches were deployed swiftly.