Cryptocurrency mining malware, the latest scourge scouring the Internet, is becoming increasingly sophisticated and widespread with previously unseen attack methods now emerging. 

Cryptocurrency mining malware is well and truly on the rise, eclipsing ransomware in popularity among cyber thieves. This is illustrated very well in a new attack method recently discovered.

Malicious hackers penetrated the management platform of a software vendor that provides software management and monitoring. The vendor uses its management platform to send out updates to hundreds of thousands computers concurrently.

The hackers, however, inserted crypto currency mining malware into an original software image scheduled for launch from the management platform. The intention was clear; to infect hundreds of thousands of computers at the same time to harness the collective processing power and mine for Monero digital currency.

The attack was stopped thanks to remote monitoring from a Secure Operations Centre. But the manner in which the malware operated was previously unseen and sophisticated making it significant.

The malware had the fingerprints of high level hackers all over it. Interestingly, they hadn’t shared the technique with hackers on lower rungs of the cybercrime fraternity.

Rather than sell the malware, which is the norm, they decided to keep it for themselves. Clearly they aimed to harvest vast amounts of Monero digital currency.

Huge amounts of money

To put this in context, research was recently carried out on how much crypto mining malware has been identified in the past few years. In 2017 this type of malware peaked at just under 2,000 samples. So far this year it has skyrocketed to over 15,000 samples.

  • This large growth of mining malware is in parallel with spikes in cryptocurrency value. For instance in December 2017 Bitcoin value peaked at close to $20,000. Today it has corrected to approximately $6,000.
  • Cryptocurrency values began to rise in the summer of 2017 which was the same time that incidents of mining malware began to rise dramatically.
  • A total of $175 million has been found to be mined historically via the Monero currency, representing roughly 5% of all Monero currently in circulation.
  • It is clear that mining malware has been extremely profitable for individuals or groups who have mined cryptocurrency. It also highlights why ‘top tier’ hackers in the example above haven’t sold their sophisticated malware onto lower level hackers.
  • The most popular cryptocurrencies mined by malware are Monero, Bitcoin, Electroneum, Ethereum and Litecoin as well as few others. However, Monero is by a long stretch the most targeted cryptocurrency.

Why is Monero so popular?

  • It is driven by cyber criminals’ preference for the added privacy that Monero and other Bitcoin competitors provide.
  • Bitcoin is losing its lustre among criminals because law enforcement is adopting software tools to monitor people using Bitcoin.
  • As a result, Privacy coins such as Monero, designed to avoid tracking, are becoming increasingly popular.
  • The amount of Bitcoin being used on the Dark Web for illicit activities is believed to have fallen from 30 percent to 1 percent.
  • The popularity of Monero is also driven by its adoption by new Dark Web markets.
  • The value of Monero, around $140, is much lower than the $6,000 of Bitcoin. However the ease with which it can be bought and used is proving to be compelling for cyber criminals.


A crypto miner Trojan was recently discovered which exploits a vulnerability in Adobe Flash Player. The Trojan was delivered via a malicious website which had malware script built into it. Dubbed WagonlitSwfMiner, it has been neutralised but other crypto miner Trojans are spreading rapidly.

BullGuard protects your computer from malware




This cryptocurrency-mining malware spreads via a malicious website and disguised as a security update for the victim’s internet browser.
  • On the fraudulent website is a downloadable file that contains a downloader agent written in the C# language.
  • When the file is executed, it downloads several components, including an Internet of Things (IoT) scanner, ChromePass, legitimate software used to collect passwords from the Chrome browser, the well-known EternalRomance exploit (stolen earlier form the US National Security Agency) and the XMRig Monero miner.
  • The IoT device scanner scans for devices in Iran and Saudi Arabia with the login credentials “admin” for both username and password. It has also been detected in Singapore, Taiwan, Australia and India among other countries.
  • It saves the Iran and Saudi Arabia IP addresses of vulnerable devices to the malware’s command and control server, most likely for future exploitation.
  • The EternalRomance exploit is used against the SMBv1 vulnerability.
SMBv1 is a PC file sharing protocol. Microsoft issued a patch for this vulnerability last year but PyRoMineIoT uses this exploit on unprotected computers to spread around the Internet via unprotected ports.
  • XMRig is the software that mines the cryptocurrency Monero.

Cyber crooks move to the cloud to hijack huge computational power

Attacks on cloud-based Docker containers and Kubernetes, an open source container orchestration platform, have been detected.
  • Docker is a relatively new way of packaging software used by large organisations.  Generically known as containers, Docker is similar to a virtualised computer and is becoming increasingly common because it enables cost-effective computing.
  • Kubernetes is a management platform of sorts that allows large numbers of containers to work together in harmony. This reduces operational and management burden for IT administrators.
In one instance attackers infiltrated a Kubernetes console, which was not password protected, belonging to Tesla the well-known company that specializes in electric vehicles, energy storage and solar panel manufacturing.

Within one Kubernetes pod were access credentials to Tesla’s Amazon Web Services (AWS) cloud environment. The attackers used these access credentials to carry out crypto mining from within one of Tesla’s Kubernetes pods, leveraging the vast compute power of the AWS cloud.


A recently discovered crypto currency mining malware targeting Windows-based devices has been discovered. To date it has infected 300,000 computers.
  • The malware monitors clipboard activity to identify what kind of cryptocurrencies the victim has stored in their digital wallet.
  • If the malware finds Bitcoin and Ethereum addresses it replaces them with the address used by the cybercriminals.
  • The amount of crypto currency stolen to date appears to be relatively small but the malware is still most certainly active. Its latest activity was detected on in early June.
The ability to replace a wallet address by monitoring clipboard activity is not new. A Trojan called CryptoShuffler used the same method to steal cryptocurrencies such as Dash, Monero, Ethereum, Bitcoin and Zcash among others.

Defeating crypto currency mining malware

Crypto currency mining malware authors by definition are a clever bunch:
  • They often limit how much compute processing power is used to avoid detection.
  • Alternatively they ensure that mining operations only take place during specific times of the day or when the user is inactive.
  • A large number of different methods are used to deliver the malware requiring in-depth protection.
The most effective way for consumers to avoid cryptocurrency mining malware infection is to use good internet security software that regularly updates.

Enterprises on the other hand need to be aware that cyber criminals are developing increasingly sophisticated attack methods and that basic security errors, such as leaving AWS access credentials in a Kubernetes pod, is like leaving the keys to a house on the doorstep.