Rise of the Cryptominers

As cryptocurrencies continue to increase in value, cryptomining becomes increasingly more lucrative. With Bitcoin nearly reaching $18,000USD/1BTC, speculation that other cryptocurrencies such as Etherium and Monero may hit this mark eventually is rising. Monero is especially interesting given that one of its primary advantages is the relatively low processing power needed to mine it. Given that it is capable of being mined even by consumer grade computers, many organizations have tried to capitalize on this facet of the currency.

Launched in September of this year, Coinhive is a service that has transformed the internet already in its short life. Coinhive allows users to embed JavaScript API calls to enable anonymous mining of Monero cryptocurrency in browsers. Monero aims to improve on existing cryptocurrency design by obscuring the sender, recipient and amount of every transaction made, as well as making the mining process more egalitarian by lowering processing costs. Though Coinhive as an organization has said they want users to come up with new uses for their service, it’s hard to imagine they wanted users to create apps that then go on to be abused. When programs have no reference to cryptomining at all, how are consumers supposed to make educated choices about their best options?

Coinhive isn’t the only game in town. Crypto-Loot, launched in October of this year, similarly allows users to embed API calls to have their end users mine Monero silently or publicly. With Monero’s emphasis on privacy and the distributed nature of its mining, how can we accurately gauge its adoption and measure its use?

How Deep Do These Mines Go?

Trying to accurately understand how much cryptomining is going on is challenging. Given that there are several different organizations that allow for anonymous mining, it can be hard to definitively say that a certain amount is being done. A quick search for domains utilizing Coinhive mining pools in top million domains using a service such as censys.io reveals nearly 1,000 domains currently actively mining Monero with the resources of their visitors. The same lookup for Crypto-Loot based mining reveals another hundred hosts monetizing their users. Most of the domains are streaming or torrent websites, where average users spend more time than the median of 1 minute and 50 seconds. We’ve observed an average of 250 visitors every hour to these domains. The torrent sites that have taken advantage of cryptominers are banking on the amount of visitors rather than the length of time spent there:

Presence of CoinHive cryptominer or kickass[.]cd

DNS requests per hour for kickass[.]cd as seen through Investigate

Since less average time spent on a page equals a smaller amount of coins that can be mined, not all of the websites can utilize cryptomining scripts efficiently. In some cases, not so friendly scripts are used and your PC will keep mining even after you have left the page or closed the browser. Another malicious cryptojacking-related event took place earlier this month: cryptojacking of Argentinian Starbucks stores’ WIFI and the embedding cryptomining scripts in GitHub repositories.

There’s Crypto In Them Thar Platforms

As we have seen, the ability to embed the API calls has opened up new avenues of mining. Making the leap from browsers to apps shouldn’t be a total surprise, but with nearly 50 cryptomining apps legitimately in the Play Store for Android, it seems that we should expect to see more of these in the future. For apps that are found outside of normal distribution channels, or apps that do not disclose that they mine, this raises the question of what the appropriate security stance should be.

By itself, cryptomining should not be seen as malicious. There’s no exfiltration of data or credentials as there are in phishing attacks, the user’s hardware and software is not changed or damaged in many cases, and both Coinhive and Crypto-Loot miners only tie up the resources involved in mining for as long as the browser window or tab is open. Once closed, those resources are returned to the computer. Those resources however, specifically the bandwidth and power costs, are much more impactful when applied to a mobile device rather than a home computer. In the US, mobile plans often have data caps and users are encouraged to use WiFi when possible. If an app is cryptomining on a cellular plan, end users could be quickly eating into their data caps and incurring extra charges from their cellular provider. Similarly, home computers draw on AC power, but the point of a mobile device is to be able to go with you without the need for cords. If an app on a phone is running in the background, the battery life will be severely diminished.

Panning for Crypto

To this end, Cisco Umbrella’s Security Research team classifies sites observed to be cryptominers as “potentially harmful”, an optional security setting for users of the Umbrella service. Because mining is not inherently malicious, we don’t believe that blocking the domains that host such services is the appropriate response. However, many domains which utilize cryptomining scripts do not disclose this to their users, and these miners benefit unknown entities. Domains which disclose their mining to their users through use of a CAPTCHA may have this security categorization changed.

Claim Jumpers

It’s a different story with software based cryptominers like Adylkuzz and cryptojacking. Adylkuzz is effectively a trojan that uses ETERNALBLUE and DOUBLEPULSAR to install cryptocurrency mining software on the infected system. For our purposes, cryptojacking is defined as the compromise or hacking of a website for purposes of placing a javascript miner without the owner’s knowledge. Such connections and domains are considered malicious and appropriately blocked as malware.

The Next Gold Rush

With cryptocurrency in the news more and more often these days, scrutiny and speculation are beginning to rise. What will happen in the next few years that might impact these emerging technologies and techniques? Two recent events point to a great deal more intervention from government.

In Venezuela, the government recently announced that they would launch a cryptocurrency of its own called the “petro”. Like other cryptocurrencies, this one has been created to serve a need outside of what conventional currencies can serve. This need however is quite unique: to circumvent sanctions from nation-state partners such as the U.S.

In America conversely, a new bill has been introduced that has some bitcoin traders worried about its overly broad language: S. 1241 takes aim at combating counterfeiting and money laundering, but undefined phrases like “digital currency” and expansive terms such as “No person shall knowingly conceal, falsify, or misrepresent, or attempt to conceal, falsify, or misrepresent, from or to a financial institution, a material fact concerning the ownership or control of an account or assets held in an account with a financial institution“ are a cause of concern for some.

It’s impossible to say with accuracy where the future will take cryptocurrencies or cryptominers, but they’re almost certainly here to stay. As the internet continues to evolve in its third decade of existence, enterprising individuals will always be looking for the next motherlode, taking advantage of a landscape that others can’t see.

This post is categorized in: