2018 AKA The Year When Crypto-focused Malware Became The New Standard
They say that it ain’t good if people don’t steal it - by this logic, crypto is in a massive fundamental bull run. While even in 2017 crypto malware was reported only rarely, in 2018 it is clear that cryptocurrency malware development became a legitimate career path, similarly as credit card cloning in Brazil.
Best way to get your crypto stolen
Just by the look at the buzz of the past weeks, it would be easy to say the biggest threat to your crypto wallets is related to email impostors online download sites:
- Here an email attachment trojan that looks up Coinbase credentials and installs crypto miner
- An example of a bunch of trojan in a bogus “hack app” - those are apps people install when they don’t want to pay for the real deal
- And here a legitimate-looking Android app that hides a crypto trojan
The truth is though, the easiest way to get your crypto gone from your wallet is to have your main wallets installed on a computer that you use for browsing dodgy online places with a lot of ads, getting torrents and downloading new software.
This is not a new thing, we made a post about it, Andreas Antonopoulos also recommends some tiered device setup (and he was a computer scientist before he became crypto demigod). The crypto malware business seems to be growing though.
Before the 2017 bull run, people didn’t care
Now, there is a big community of computer security professionals and enthusiasts who essentially work as hunters. They spend a lot of time analyzing attacks, luring malicious actors into honeypots and reporting everything on blogs and forums. It is a good system but it has a way to let the unknown unknowns pass through.
So while everyone raves about crypto-related malware booming in 2018, there is a chance it just wasn’t in the spotlight before.
Two years of undisturbed bitcoin collection
In March 2018 a report was published on the ESET’s blog on a malware that was hosted as trojan in multiple files on download.cnet.com - a software download portal with the Alexa rank of 163. The incident that got the attention of a researcher was an alarmed user from r/Monero seeking help after noticing a script that overwrites his copy-pasted crypto addresses.
The culprit was an infected Win32 Disk Imager from CNET that has been collecting cryptocurrencies since 2016 without interruption! In total, there are 4500 users who have downloaded this infected application and some more who downloaded infected CodeBlocks IDE and an infected Windows port for GCC by the same CNET user.
The apps were removed by CNET upon ESET’s notification, after two years of undisturbed activity.
Trusted resources then?
A more ethically plausible way for people to get their crypto is covert mining. In a recent post on securelist.com the author analyzes a whole bunch of Android apps that have a XMR miner hidden in them. Some of the apps will request administrator permissions so that they cannot be uninstalled and while they don’t steal crypto, some will literally mine so heavily that the phone eventually collapses.
And then there’s the cherry on top: If you know your ways well you can hijack corporate resources. Here csoonline.com reports how the financial impact shoots up if a crypto miner in a datacenter goes undetected up to the point where the mining starts damaging the hardware.
Imagine all the sysadmin crushed souls who can now get corporate sponsorship. Sounds very Fight Club, right?
The bigger business is of course in external threats though. Kaspersky Lab expects that in 2018 targeting specific business will be where the cryptojacking business will go, reportedly old ransomware is being repurposed for mining and here on trendmicro blog it was uncovered how patch lags are leveraged to mine crypto on a company’s bill.
With corporate infrastructure hijacking already happening and knowing the detection of crypto-related malware is difficult, this is not a good time to rely solely on downloads from trusted resources either. Here is an example of a fileless miner that focuses on servers and goes undetected by all common antivirus/security vendors.
The best way to protect your crypto is 1) to always double check the address when you are sending crypto and 2) to have your wallets on devices that are as clean as possible. It is not a big inconvenience to have a burner phone or tablet.
There’s an opportunity, too
How to get rich if you’re an app developer?
- Put together the quickest app you can, maybe something for downloading backgrounds or whatever.
- Add a Monero mining script into it. Add a routine to check for overheating so that you can milk the phone longer.
- Publish the app online.
Or, you can develop an app that detects crypto miners and crypto stealers. Stealers are literally couple lines of code, miners are a piece of JS calling home somewhere. They can easily pass undetected. Before the big corporations rearrange their management resources to develop and market a solution for this, there might be an opportunity for a small company to establish itself through this.
You gotta do it right though: There is a bunch of anti-miner extensions for Google Chrome that are developed by anonymous people under random gmail address and are known far less than adblockers, and then there’s the Brave browser which blocks crypto miners and has Youtube ads all over the place. That’s a missed opportunity for these small fishes, without gaining some form of audience they get eaten.
Some vendors are now working on solutions based on detecting suspicious communication, but there’s still a lot to be done. Citing csoonline.com again,
Cryptojacking is in the early stages. If a company spots one type of attack, there are four or five others that will get by. “If there’s something that could potentially stop crypto miners, it would be something like a well-trained neural network,” Lopez-Penalver says.