2019 Being The Year Of Cryptojacking, Confirmed By IBM
All End Point products used by enterprises supplied by antivirus vendors are not yet ready for the newest weapon by cybercriminals, cryptojacking. Also, known as cryptocurrency mining malware, they are designed to work in the background, not causing readily perceptible while causing hardware to perform computations in hopes to mine cryptocurrencies for its authors. Such behavior is even difficult to detect with the tried and tested heuristics engine, given that all legitimate programs compute for hashes on a regular basis, that means computing for massive hashes alone cannot prove that a program running on the background is doing it maliciously.
IBM has determined that 2019 is a cryptojacking year, with mining to continue intensifying through the use of trojan horses, with deliberate infection through a dropper instead through fly-by browsing. “Data from the ‘IBM X-Force Threat Intelligence Index’ for 2018 illustrated that threat actors have been increasingly using malicious cryptomining, aka cryptojacking attacks, to easily monetize their access to systems with minimal risk. The 2019 report showed that threat actors continue to use these attacks to compromise systems and generate a revenue stream,” explained Charles DeBeck, IBM’s Strategic Cyber Threat Analyst.
Though not as profitable as ransomware or the still classically effective phishing, cryptojacking though provide a steady income without panicking the victims. They continue to use the computer as normal, the only way for them to practically realize this is when they receive their next electric bill. A computer under a normal load will underclock its CPU during idle times and periods where the load is not taxing. However, when the computer is attempting to mine a cryptocurrency, it uses a lot of CPU and GPU resources. The whole ordeal here is the infected computer will exert more effort, hence higher CPU/GPU usage which translates to higher electricity consumption.
“Threat actors could also be temporarily shifting away from browser-based cryptojacking if they relied on Coinhive to provide them with scripts. With Coinhive gone, threat actors would have to go to other script providers. While there are many other providers of the same sort of scripts, the removal of Coinhive could affect the overall ability of the technically unskilled to create web-based cryptojacking attacks,” added DeBeck.
The current architecture used by antivirus software needs to change in order to detect cryptojacking malware. The signature-based system is too slow in order for the software to be aware of new variants and families of cryptojacking malware. Heuristics may help, but it is more false positives than actual detection of genuine misbehavior.
“Cryptojacking is tougher for organizations to mitigate, since the infection occurs outside the organization on an unaffiliated server and takes advantage of users browsing to a compromised resource. In most cases, when the company’s security team sees alerts for mining activity, there isn’t much it can do to clean up within the company’s own devices. While one could notify the web server’s owner of the compromise, they may not know what to do about it or fail to address the issue,” concluded DeBeck.