January 11, 2019

Gresham's Law thesis is back - Malware bid to oust honest miners in Monero

7 years after we called the cancer that is criminal activity in Bitcoin-like cryptocurrencies, here comes a report that suggests that 4.3% of Monero mining is siphoned off by criminals.

A First Look at the Crypto-Mining Malware
Ecosystem: A Decade of Unrestricted Wealth

Sergio Pastrana
Universidad Carlos III de Madrid*
Guillermo Suarez-Tangil
King’s College London

Abstract—Illicit crypto-mining leverages resources stolen from victims to mine cryptocurrencies on behalf of criminals. While recent works have analyzed one side of this threat, i.e.: web-browser cryptojacking, only white papers and commercial reports have partially covered binary-based crypto-mining malware. In this paper, we conduct the largest measurement of crypto-mining malware to date, analyzing approximately 4.4 million malware samples (1 million malicious miners), over a period of twelve years from 2007 to 2018. Our analysis pipeline applies both static and dynamic analysis to extract information from the samples, such as wallet identifiers and mining pools. Together with OSINT data, this information is used to group samples into campaigns.We then analyze publicly-available payments sent to the wallets from mining-pools as a reward for mining, and estimate profits for the different campaigns.Our profit analysis reveals campaigns with multimillion earnings, associating over 4.3% of Monero with illicit mining. We analyze the infrastructure related with the different campaigns,showing that a high proportion of this ecosystem is supported by underground economies such as Pay-Per-Install services. We also uncover novel techniques that allow criminals to run successful campaigns.

This is not the first time we've seen confirmation of the basic thesis in the paper Bitcoin & Gresham's Law - the economic inevitability of Collapse. Anecdotal accounts suggest that in the period of late 2011 and into 2012 there was a lot of criminal mining.

Our thesis was that criminal mining begets more, and eventually pushes out the honest business, of all form from mining to trade.

Testing the model: Mining is owned by Botnets

Let us examine the various points along an axis from honest to stolen mining: 0% botnet mining to 100% saturation. Firstly, at 0% of botnet penetration, the market operates as described above, profitably and honestly. Everyone is happy.

But at 0%, there exists an opportunity for near-free money. Following this opportunity, one operator enters the market by turning his botnet to mining. Let us assume that the operator is a smart and careful crook, and therefore sets his mining limit at some non-damaging minimum value such as 1% of total mining opportunity. At this trivial level of penetration, the botnet operator makes money safely and happily, and the rest of the Bitcoin economy will likely not notice.

However we can also predict with confidence that the market for botnets is competitive. As there is free entry in mining, an effective cartel of botnets is unlikely. Hence, another operator can and will enter the market. If a penetration level of 1% is non-damaging, 2% is only slightly less so, and probably nearly as profitable for the both of them as for one alone.

And, this remains the case for the third botnet, the fourth and more, because entry into the mining business is free, and there is no effective limit on dishonesty. Indeed, botnets are increasingly based on standard off-the-shelf software, so what is available to one operator is likely visible and available to them all.

What stopped it from happening in 2012 and onwards? Consensus is that ASICs killed the botnets. Because serious mining firms moved to using large custom rigs of ASICS, and as these were so much more powerful than any home computer, they effectively knocked the criminal botnets out of the market. Which the new paper acknowledged:

... due to the proliferation of ASIC mining, which uses dedicated hardware, mining Bitcoin with desktop computers is no longer profitable, and thus criminals’ attention has shifted to other cryptocurrencies.

Why is botnet mining back with Monero? Presumably because Monero uses an ASIC-resistant algorithm that is best served by GPUs. And is also a heavy privacy coin, which works nicely for honest people with privacy problems but also works well to hide criminal gains.

Posted by iang at January 11, 2019 05:01 PM


The Varonis Security Research team recently investigated an ongoing cryptomining infection that had spread to nearly every device at a mid-size company. Analysis of the collected malware samples revealed a new variant, which the team dubbed “Norman” that uses various techniques to hide and avoid discovery. We also discovered an interactive web shell that may be related to the mining operators.

Research Overview

* We found a large-scale infection of cryptominers; almost every server and workstation in the company was infected.

* Since the initial infection, which took place over a year ago, the number of variants and infected devices grew.

* Norman employs evasion techniques to hide from analysis and avoid discovery.

* Most of the malware variants relied on DuckDNS (a free, Dynamic DNS service). Some needed it for command and control (C&C) communications, while others used it to pull configuration settings or to send updates.

* Norman is an XMRig-based cryptominer, a high-performance miner for Monero cryptocurrency.

* We have no conclusive evidence that connects the cryptominers to the interactive PHP Shell. However, we have strong reason to believe they originate from the same threat actor. We make a case whether they may or may not be connected.

* We provide tips for defending against remote web shells and cryptominers.

The Investigation
The investigation began during an ...

Posted by: Varonis Uncovers New Malware Strains and a Mysterious Web Shell During a Monero Cryptojacking Investigation at August 16, 2019 04:00 AM

Ukrainian authorities are investigating a potential security breach at a local nuclear power plant after employees connected parts of its internal network to the internet so they could mine cryptocurrency.

The investigation is being led by the Ukrainian Secret Service (SBU), who is looking at the incident as a potential breach of state secrets due to the classification of nuclear power plants as critical infrastructure.

Investigators are examining if attackers might have used the mining rigs as a pivot point to enter the nuclear power plant's network and retrieve information from its systems, such as data about the plant's physical defenses and protections.

According to authorities, the incident took place in July at the South Ukraine Nuclear Power Plant, located near the city of Yuzhnoukrainsk, in southern Ukraine.

It's unknown how the scheme was discovered, but on July 10 the SBU raided the nuclear power plant, from where it seized computers and equipment specifically built for mining cryptocurrency.

This equipment was found in the power plant's administration offices, and not on its industrial network.

Confiscated equipment included two metal cases containing basic computer parts, but with additional power supplies, coolers, and video cards. According to court documents [1, 2], one case held six Radeon RX 470 GPU video cards, and the second five.

Further, the SBU also found and seized additional equipment[1, 2] that looked like mining rigs in the building used as barracks by a military unit of the National Guard of Ukraine, tasked with guarding the power plant.

Posted by: Employees connect nuclear plant to the internet so they can mine cryptocurrency at August 23, 2019 10:35 AM

Employees at the Russian Federation Nuclear Center have been arrested on suspicion of using supercomputers at the facility to mine cryptocurrency. .... The Sarov-based nuclear facility, also known as the All-Russian Research Institute of Experimental Physics (RFNC-VNIIEF), focuses on enhancing nuclear weaponry at the computational and theoretical levels. ....

As none of the facility's systems, including its 1-petaflop capable supercomputer which was powered up in 2011, are meant to be connected to the Internet due to the research involved, once the engineers allegedly attempted to connect to the web for mining, the scheme was exposed.

"Similar attempts have recently been registered in a number of large companies with large computing capacities, which will be severely suppressed at our enterprises, this is technically a hopeless and criminal offense," Zalesskaya added. ....

Posted by: Russian Nuclear Center engineers arrested for using supercomputers to mine cryptocurrency at August 23, 2019 10:38 AM

It has been reported the Australian Federal Police (AFP) is investigating two Bureau of Meteorology (BOM) staff over allegations they were using the bureau's equipment to mine for cryptocurrency.

Posted by: Bureau of Meteorology staff questioned by AFP over cryptocurrency mining: Report at August 23, 2019 10:39 AM

Pe măsură ce le creşte cota, monedele virtuale, cum sunt Bitcoinul sau Monero, devin atrăgătoare şi pentru romani. ...

Posted by: Romanian National Research Institute for Nuclear Physics and Engineering was also caught mining cryptocurrency at work at August 23, 2019 10:45 AM

Between March and July 2019, Paige Thompson accessed at least 30 institutions’ servers managed by an unnamed cloud computing company, compromising at least 100 million customer accounts, according to a release published Wednesday. While there is no indication Thompson attempted to sell this information, she did use stolen computing power to mine cryptocurrencies.

Posted by: Capital One Hacker Used Stolen Computing Power to Mine Crypto at September 1, 2019 01:26 PM

... Denis Baykov was handed the penalty by a jurisdictional city court for accessing the lab’s supercomputer to illegally mine the world’s top cryptocurrency by market valuation.

Located in Sarov, Russia, the top-secret lab was where the first Soviet nuclear bombs were manufactured in the late 1940s. It remains home to some of Russia’s most powerful computers.

The mining trio was first exposed last February and promptly handed over to the Federal Security Service. ....

Court verdicts for the other two scientists have not yet been reached.

Posted by: Russian Nuclear Scientist Gets $7,000 Fine for Mining Bitcoin at Work at October 1, 2019 10:32 AM

Confirmed infections reported in UK, Germany and Switzerland...

Posted by: Supercomputers hacked across Europe to mine cryptocurrency at May 18, 2020 07:00 AM

Dogecoin’s moment didn’t end with TikTok or Elon Musk. Instead, hackers have started using the meme cryptocurrency to control mining malware.
By Shaurya Malwa
Jul 29, 2020

In brief
* Dogecoin is now being used by hackers to maintain a crypto-mining botnet.
* Attackers are accessing APIs with DOGE wallets to mask their location.
* The attack is still ongoing.

Meme coin Dogecoin is being used by hackers to control Monero-mining malware on Linux operating systems, said security firm Intezer Labs yesterday.

When Intezer Labs was analyzing a relatively new backdoor trojan virus, called Doki, it found an old attacker was using it to direct mining malware on public web servers.

Posted by: Hackers are now using Dogecoin to infiltrate computers at July 30, 2020 06:52 AM

Key Findings
. Ngrok Mining Botnet is an active campaign targeting exposed Docker servers in AWS, Azure, and other cloud platforms. It has been active for at least two years.
. We have detected a recent attack which includes a completely undetected Linux malware and a previously undocumented technique, using a blockchain wallet for generating C&C domain names.
. Anyone with publicly open Docker API access is at high risk to be hacked within the span of just a few hours. This is probable due to the hackers’ automated and continuous internet-wide scanning for vulnerable victims.
. The new malware, dubbed “Doki”, hasn’t been detected by any of the 60 malware detection engines in VirusTotal since it was first analyzed on January 14, 2020.
. The attacker is using the infected victims to search for additional vulnerable cloud servers.


Posted by: Watch Your Containers: Doki Infecting Docker Servers in the Cloud at July 30, 2020 06:57 AM

A new Microsoft report states that India encounters the second-highest number of cryptojacking incidents in the APAC region.

Cryptojackers are hitting pay dirt in India, according to Microsoft's newly released Security Endpoint Threat Report 2019.

The report states that web users in India encounter crypto mining malware attacks at a rate 4.6 times higher than the regional and global average. India experiences the second-largest number of cryptocurrency mining attacks in the Asia Pacific region, lagging only behind Sri Lanka.

A cryptocurrency mining attack, commonly called cryptojacking, is an attack where hackers secretly install cryptocurrency mining malware on someone else's computer to use its computing power to mine cryptocurrencies.

Posted by: Cryptojacking Almost 5 Times More Prevalent in India Than Global Average at July 30, 2020 07:01 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.