Cryptojacking in 2019 is not dead — it’s evolving!

Cryptojackers have shut down university networks and government websites, but there was one case that attracted a lot of attention, and that is the use of Coinhive mining service focused on mining Monero.

With the closure of Coinhive it appeared that cryptojacking might be coming to an end. Coinhive was a cryptocurrency mining service that relied on a small chunk of computer code installed on websites. It released its mining code in 2017, pitching it as a way for website owners to earn an income without running intrusive or annoying advertisements. However, although Coinhive was not an inherently malicious code, it became popular among hackers for cryptojacking. The more people visited a site, the more processing power was siphoned off to mine Monero.

Coinhive malware

The platform had seemed like a good idea until the software went on to form the foundation of the notorious cryptojacking malware that ended up affecting millions of user devices, spiking electricity bills, and draining batteries to secretly and illicitly mine cryptocurrency, as Conor Maloneywrites for CCN. Furthermore, as more and more criminals hacked sites and planted the Coinhive file, the issue shot completely out of control. Maloney writes: “Coinhive was listed as the world’s greatest online malware threat by cybersecurity firm Check Point for 15 consecutive months, and an estimated 5% of all Monero was mined through cryptojacking.”

Coinhive announced that it would be shutting down operations on 8th March 2019, and many thought that would be the end of intensive cryptojacking activity. However, Maloney points out that while the cryptojackers can’t turn to Coinhive anymore, they will look for other means of attack.

The Coinhive vacuum is waiting to be filled

Chris Dawson, Threat Intelligence Lead at Proofpoint, a security company, commented that Coinhive was far from the only cryptojacking malware on the market, adding “the fall of Coinhive leaves a power vacuum waiting to be filled,” as he told Maloney. Dawson sees a thrat coming from other forms of malware, such as “banking trojans, credential stealers and pieces of malware which sit on machines.”

Others, such as Jerome Segura of Malwarebytes, believe the criminal industry is slowing down. He told ZDNet the criminal industry is slowing down: “There are still a lot of hacked sites with Coinhive code, but I have a feeling these are mostly remnants from past hacks. Most of what I see these days is CoinIMP [a Coinhive competitor] and it’s been active again with Drupal hacks recently. But overall, I think the trend is nearing out.”

Is Segura too optimistic? Ransomeware like WannaCry and Petya have dealt catastrophic blows, taking down services at hospitals, car factories, government facilities, and airports as well as infecting personal devices to extract a ransom that is usually payable in Bitcoin. And cryptojacking malware still exists — Cryptoloot being one example, the second most lethal after Coinhive. There is also Emotet, a banking Trojan, which can infect a computer as a malicious attachment and be used to spread other forms of malicious software, plus a host of password-collecting bots.

It may be good news that Coinhive has closed down, but we cannot be complacent and believe the threat of cryptojacking has gone away. As long as there is cryptocurrency for the taking, cryptojackers will be evolving their tactics for getting their hands on it, and we need to be more vigilant than ever.

The Malware Hunter

Avoiding malware, which can invade your computer via phishing emails or malicious sites, is a common preoccupation. You only have to click on the wrong thing and you’ve caught a ‘botnet’ that may attack your business website or spread a virus.

But, now it looks like help is on the way, albeit in a rather unusual, roundabout way. Netlab 360 has identified a type of botnet that can search for specific malware infections without harming your computer. What is more, once it has hunted down and eliminated the ‘bad botnet’, it deletes itself from your computer.

Netlab 360 engineer, Hui Wang, has called it ‘Fbot’, although nobody knows who created it, which is one of the interesting parts of this story. But, whoever is responsible for it, has basically designed a bot that does a much-needed job.

The way it works is like this, according to Jon Christian writing in futurism.com: “Fbot first infects computers that leave a specific port vulnerable to attack. Then it searches its new hosts for a piece of malware called com.ufo.miner, which uses infected computers to mine the cryptocurrency Monero — and eradicates it.”

Wang says, “So far, the only purpose of this botnet looks to be just going after and removing another botnet.” Other unusual aspects of the bot are:

· The bot does not use traditional DNS to communicate with the C2, instead, it utilises blockchain DNS to resolve the non-stand C2 name musl.lib.

· It appears to have strong links to the original satori botnet.

Coindesk has also commented on the new discovery, saying “Unusually, the botnet code is linked to a domain name accessible, not through a standard domain name system (DNS), but a decentralized alternative called EmerDNS that makes addresses harder to trace and shut down.”

And researchers also pointed out: “The choice of Fbot using EmerDNS other than traditional DNS is pretty interesting, it raised the bar for security researcher to find and track the botnet (security systems will fail if they only look for traditional DNS names).”

Either way, everyone is extremely curious about who is behind the botnet — is it somebody working with good intentions, or is it a hacker trying to remove the competition. Perhaps we will never know.