The Ultimate Secret Data Hog – Cryptomining Malware

Are you already a victim of this data hog?

Are you a victim of this data hog?
Sam Bocetta puts the word out about a new type of data hog and how to spot it.    Sam Bocetta is a former naval contractor and security analyst. He’s now (mostly) retired and spends his days reading the classics and fly fishing with his grandkids. Sam can be reached on Linkedin:

The Ultimate Secret Data Hog – Cryptomining Malware
Malware development, like many non-malicious types of software, is subject to certain trends that are impacted by a variety of external factors outside the tech industry.

Ransomware, for example, was the cyber bogeyman of 2017 and 2018 for the following reasons:

  • Spectacular attacks on high-value targets.
  • News media headlines.
  • The modernization of traditional crimes such as hijacking, extortion and ransom.
  • Availability of leaked cyber warfare weapons and techniques developed by American intelligence agencies.
  • The use of cryptocurrencies to deliver ransom payments.
  • Ransomware-as-a-Service platforms.

In early 2019, ransomware has thankfully lost some of its shine thanks to law enforcement intervention, prosecution and reaction by the information security community; in other words, this particular malware threat is on a downtrend cycle.

As can be expected, a new threat has emerged to take ransomware’s spot on the malware scoreboard, and it goes by the names of cryptojacking or crypto mining malware.

Understanding Cryptojacking

Speaking of IT trends, let’s talk about Bitcoin trading: despite cryptocurrencies having endured more than a year of bear market conditions, they are still being bought, sold, exchanged, and mined for various reasons.

In the case of Bitcoin, the most valuable digital currency in the world, the market cap of $60 billion is sizable enough to ignore that it has plunged from an all-time high near $20,000 in late 2017 to around $3,500 and lower in early 2019. Some investors remain hopeful that a rally similar to the one experienced in 2017 could materialize this year, and miners are holding even greater hopes.

As volatile as the cryptocurrency markets are, they present significant opportunities for profit, especially for those who engage in mining of tokens. In essence, mining entails putting considerable processing power and bandwidth to work on behalf of the blockchain that supports cryptocurrencies such as Bitcoin, Ethereum, Monero, Stellar, and many others.

The blockchain is a decentralized and distributed ledger where transactions are verified and cleared through very complex cryptographic calculation; miners who perform this service can present the blockchain with “proof-of-work” performed in exchange for the potential of earning a few tokens.

Cryptocurrency mining is not a “get rich quick” scheme by any means. With valuable tokens such as bitcoin, the barriers to entry include powerful hardware with efficient cooling systems, electricity, and broadband connections. These factors are combined into rigs that feature plenty of hash power and are fully dedicated to blockchain mining work.

It should be noted that hash power can be distributed in a manner somewhat similar to the distributed ledger of blockchain networks, which means that a single computing device can generate some hash power to contribute towards a mining operation.

IMAGE: Mining Rig

In the early days of Bitcoin mining, some individuals were able to mine a few tokens by means of running mining software on their laptops; once greed kicked in and blockchain transactions became increasingly difficult because of market volatility, mining cartels emerged.

By the time malicious hackers and cybercrime groups latched onto digital currencies, the development of cryptojacking was imminent. With cryptojacking, hackers inject malicious code into computing devices for the purpose of stealing hash power, meaning processing power, bandwidth and electricity, all with the goal of surreptitiously mining tokens.

Bitcoin is not a popular cryptocurrency among cryptojacking attackers; privacy tokens such as Cardano and Monero are preferred.

How Cryptojacking Malware Works
To a certain extent, crypto mining malware shares many of the characteristics of legacy spyware in the sense that injection may take place through click-and-bait strategies or Trojan horse attacks; in other words, victims often believed that they were installing software or executing code that was not malicious.

In some cases, remote code injection of cryptojacking malware may be conducted through old-school network intrusion, which is often a more sophisticated and aggressive approach since it may involve defeating a firewall.

The most common types of cryptojacking target personal computing devices such as desktops, laptops, tablets, and smartphones. It is not unreasonable to think that smart home appliances like the Samsung Family Hub refrigerators could be next since they are equipped with a motherboard running Android and many connectivity services. These devices can be infected with in-script cryptojacking code or through JavaScript browser extensions.

As can be expected, cryptojacking attacks against business targets tend to be more powerful while at the same time being stealthier. A sophisticated cybercrime group targeting office networks or enterprise data centers may forego browser extensions and go with rootkits, remote code execution, and virtual machine hijacking. The most trailblazing and brazen attacks may utilize social engineering to gain credentials and set up fake intranet pages.

Once installed, cryptojacking malware will transform GPU and CPU resources into hash power to conduct transaction verification. According to a report published by a respected information security firm, 37 percent of corporate networks were impacted by cryptojacking activity in 2018.

More than 20 percent of business IT security departments are detecting cryptojacking attempts on a weekly basis. Companies that implement “bring your own device” policies are at greater risk.

Cryptojacking Detection

The first line of defense against cryptojacking involves monitoring network connections between devices and the internet.

Network monitoring is a security strategy widely used in the enterprise world, but it is also available on a personal computing level with smart firewall apps that notify users of suspicious activity, intrusions, high CPU usage, and unusual data. It is important to note that cryptojacking crews will not ignore mobile devices since they are powerful enough to generate hash power and contribute to their wicked trade.

Aside from monitoring and detection, cryptojacking can also be prevented with safe computing practices such as the use of virtual private networking technology. It is not unreasonable to think of public Wi-Fi hotspots being taken over by hackers for the purpose of distributing mining malware.

To this effect, always protect your computer by using standard security measures when accessing public networks: firewall protection (such as GlassWire), antivirus scanners, and any no-logging VPN service. This is especially when connecting to an enterprise network using your personal computing device, so as to avoid exposing the entire network to remote attack.


Security – It’s all about layers

Layers of computer security.

Security – It’s all about layers
by Chris Taylor, President, Ottawa PC Users’ Group

I once heard, “The only secure computer is encased in concrete and dropped in the middle of the ocean. And even then, I am not really sure.” There is no such thing as absolute computer security; it’s all about layers. If one security layer fails, you hope another layer will provide the protection you need.

In the beginning (i.e. the mid 1980s), personal computer security focussed on antivirus. The aim was to block known bad programs from running on your computer. With few personal computers networked, viruses spread slowly. Back then, antivirus signature files were updated about once a month and that actually served us pretty well.

In the 1990s, Internet connectivity grew exponentially, as did security threats. Even Microsoft understood (albeit a little late) that more than just antivirus was needed and introduced a firewall in Windows XP SP2 in August 2004.

In January 2003, the SQL Slammer worm spread to 90% of all vulnerable hosts world-wide in the first 10 minutes after release. It exploited a vulnerability for which a patch had been available for 6 months. Vulnerability management was born in the realization that few users would, or indeed could reasonably be expected to keep all their software up-to-date with security patches.
The fundamental concepts behind antivirus, firewalls, and patch management have not changed over the years. But each has become more complex.

Blocking “known bad” with antivirus signature files is arguably essential. But now, with more than 10 million new malware variants per month (, it is not enough. Antivirus programs use heuristics to catch unknown malware. More and more are using real-time blocking techniques to stop new malware before you get updated virus signature files.

To this day, the firewall built into Windows (now called Windows Defender Firewall), is aimed solely at preventing unsolicited inbound connections from getting through. It eschews more advanced capabilities, such as those found in GlassWire. While people who read GlassWire’s Cybersecurity News are likely to be able to handle issues regarding computer security, Microsoft does not want to deal with even a very small fraction of their billions of users not being able to figure out if some program should be permitted to access the Internet.

Vulnerability management has evolved. Microsoft’s Windows Update service has matured since it was introduced with Windows 98. While not problem-free, Windows Update is remarkably robust. Other vendors have added self-updating capabilities and most are quite reliable. Unfortunately, a lot of vendors don’t include automatic updating capabilities. I should add that my biggest concern is about patching security vulnerabilities, not feature updates.

Secunia Personal Software Inspector, which was bought a number of years ago by Flexera, was a wonderful vulnerability management program. PSI tracked over 20,000 programs for security vulnerabilities and patches. Unfortunately, that program went end-of-life in April, 2018. I have yet to find a good replacement for PSI. Some former employees of Secunia are building a new vulnerability management program (, so hope remains.

Computer security goes well beyond these technical safeguards, but I think antivirus, firewalls, and vulnerability management represent the bedrock of computer security. Every computer user should embrace all three and watch for advancements in each to keep ahead of the latest threats.

About Chris Taylor:  Chris is on the Community Review Board for SAN’s OUCH! security awareness newsletter designed for everyone, and we’re excited about his second contribution to the GlassWire newsletter!