Cryptocurrency Mining Malware and How to Stop It

Cryptocurrency Mining Malware and How to Stop It

Share with your network!
Cryptocurrency Mining Malware and How to Stop It


Cybercriminals have a new way of making money, and it’s at your expense. Actually “cryptojacking,” the unauthorized use of a machine or system to mine cryptocurrency has been around for some years due to cryptocurrency’s unprecedented rise to fame. However, it’s on the increase, IBM’s X-Force Threat Intelligence Index for 2019 puts cryptojacking occurrences as growing 450% during 2018.

And, in recent days, Microsoft has warned that new “Dexphot” mining malware has infected more than 80,000 machines between its first discovery in October 2018 and its peak in June 2019. The good news is the number of daily Dexphot infections has been reducing since June. Microsoft, as per ZDNet, says it has employed countermeasures to improve detection and prevent successful attacks.


What is cryptocurrency mining and cryptojacking?

Cryptocurrencies are digital currencies or assets stored and recorded using blockchain technology. This technology is, in essence, a type of software that for the first time gives forms of money, and other assets, a digital and tradeable identity.

A blockchain is a type of distributed ledger where the data is stored across multiple machines instead of singular centralized data silos. To manage this ledger and produce new crypto coins, for some cryptocurrencies, a process of “mining” takes place. Without going into too much detail, this process involves a mathematical algorithm ran by software that helps to validate new blockchain transactions. Miners are rewarded with new coins, but the process takes a good deal of computer resources, like RAM, as well as electricity.

Cybercriminals are able to infect websites and systems with cryptomining malware just as easily as any other type of malware. They either hide it in phishing and other spam emails or on websites where it is downloaded by unwitting visitors.

Once in a computer system, cryptomining malware can secretly use the device’s resources to mine cryptocurrency, sending the reward back to the cybercriminals. It can quickly wear down a machine, causes slowdown’s, and costs electricity.


Dexphot is advanced, but the cryptomining malware threat often takes second place to that of data breaches

Microsoft says that Dexphot is notably advanced considering that the rewards for cybercriminals are perhaps much less, over a longer period, when compared to something like a ransomware attack or a data breach.

Hazel Kim, a malware analyst for the Microsoft Defender ATP Research Team, says “Dexphot is not the type of attack that generates mainstream media attention,” adding:

“It’s one of the countless malware campaigns that are active at any given time. Its goal is a very common one in cybercriminal circles – to install a coin miner that silently steals computer resources and generates revenue for the attackers.”

But Kim says:

“Dexphot exemplifies the level of complexity and rate of evolution of even everyday threats, intent on evading protections and motivated to fly under the radar for the prospect of profit.”

These advanced techniques include “fileless execution, polymorphic techniques, and smart and redundant boot persistence mechanisms.”

Microsoft says Dexphot is a “second-stage payload” which means it is a type of malware that infects systems already hosting other malware and in this case a malware strain called ICLoader. ICLoader often infects systems alongside software installs.

Microsoft also explains that because of “fileless execution” only Dexphot’s installer is written to a computer’s drive and only for a short time which makes the malware hard to detect by less advanced signature-based antivirus solutions.

Dexphot also hijacks and hides in normal Windows processes and its creators and executors employ “polymorphism” a process of changing Dexphot’s file names and URLs used in the mining process every 20-30 minutes. Again, this makes Dexphot hard to identify.

Dexphot has other complexities, detailed by ZDNet and Microsoft, so advanced that they are usually found in malware that targets governments or even operated by government sponsored hackers. ZDNet writes:

“In the last two years, these techniques have been slowly trickling down to cyber-criminal gangs, and are now pretty much a common occurrence in something as mundane as a crypto-currency mining operation like Dexphot, infostealers like Astaroth, or click-fraud operations like Nodersok.”


So how to protect against or detect cryptomining malware?

CSOonline, after recently detailing the threat of cryptojacking and many of the types of cryptomining malware prevalent today says to minimize the risk of cryptojacking:

“Incorporate the cryptojacking threat into your security awareness training, focusing on phishing-type attempts to load scripts onto users’ computers.”

Marc Laliberte, threat analyst at WatchGuard Technologies adds:

“Training will help protect you when technical solutions might fail.”

Awareness of phishing emails, their features and their risks helps employees to identify them and deal with them appropriately. As does knowing to avoid less credible or out of date websites which may be less protected and contain malware that can sneak onto corporate systems.

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

There are also ad-blocking and anti-cryptomining extensions for web browsers and endpoint and antivirus protection should be deployed that is capable of detecting cryptocurrency mining software. Web filtering tools and browser extensions need also to be kept up to date. Known infected websites should be blocked and extensions should be monitored as even legitimate ones can contain hidden malware.

Want to help secure your organisation? Sign up for a free demo and find out how we’re already helping organisations just like yours.