What is Cryptojacking?

Definition

As cryptocurrency increases in value, it becomes a target for attackers who create malware to steal it from targeted users. Cryptocurrency generation requires computer resources to solve mathematical problems. The more computer resources you have, the more cryptocurrency you can generate. Cryptojacking is the process of tricking users into using their computers and mobile devices to generate cryptocurrency for an attacker. This malware is a background process that steals computer resources and harms legitimate process performance.

How Does Cryptojacking Work?

The process of generating cryptocurrency is called “mining.” Miners compete with each other by rushing to be the first to solve mathematical problems. The miner who solves the problem first is rewarded with cryptocurrency, and the value is added to the blockchain. The blockchain is a ledger that appends blocks to a chain as users generate new currency, spend it, and transfer it. Blockchain technology is one long chain of data used to track cryptocurrency and determine who owns it and how much it’s worth.

To be the first to solve a mathematical problem, miners need powerful computing resources. Before cryptocurrency became popular, a home user on a desktop with a powerful video card could mine cryptocurrency, but now large mining farms are necessary to generate cryptocurrency at a high enough frequency to compensate the miner for his time and the electric cost to run the equipment.

A legitimate way to mine cryptocurrency is to use a farm of computers with groups of people and share the rewards. In a cryptojacking attack, an attacker uses malware or malicious JavaScript pages to use third-party computers to mine for the attacker. Malware installed on a user’s computer will silently mine cryptocurrency and transfer it to the attacker’s account. Local malware is much more persistent than JavaScript attacks, as it must be removed from the computer before it stops. JavaScript attacks use computing power from users connected to a web page. Once the web page is closed, the computing resources are released.

With malware, an attacker often uses keyloggers and clipboard sniffers to obtain the targeted user’s private key. A user’s private key is similar to a password that provides access to the user’s cryptocurrency account. When an attacker obtains the private key, they can drain the user’s cryptocurrency account and transfer funds to an attacker’s account. These attacks can cost users millions in cryptocurrency if it is not adequately protected.

How to Detect Cryptojacking

Good cryptojacking malware will throttle itself to avoid detection, but most attackers use as many resources as available on the computer until the malware is removed. If your computer has high CPU and memory usage with very little software running in the background, you could be the target of cryptojacking. High spikes in resource usage slow down the computer and affect the performance of your usual computer activity. Window's Task Manager tool lets you see resource usage. Right-click the taskbar and choose Task Manager to open the tool. Click the “Performance” tab.

Task Manager Showing Cryptojacking Malware CPU Usage

In the image above, the CPU usage is shown. If there was a high 90%-plus CPU spike on the computer with very few programs running, this could be a sign that malware is running in the background. With cryptojacking, memory usage would also spike. In addition to high resource usage, overheating is another sign of cryptojacking.

For known cryptojacking malware, antivirus software will detect it before the malware runs on the local computer. Antimalware has also gotten better at detecting malicious web pages, including those that contain cryptojacking JavaScript code.

Examples of Cryptojacking

Cryptojacking is not as common as it was during the height of cryptocurrency popularity. Savvy attackers will infect popular websites with cryptojacking malware because the more visitors to a site means additional resources. In 2017, researchers found that the Showtime online streaming site contained cryptojacking malware. In February 2018, researchers found cryptojacking on the Los Angeles Times site.

The amount of money generated from cryptojacking is unknown, but researchers estimate that it could be in the millions. In 2018, researchers estimated that the Smominru cryptomining botnet was able to generate $3.6-million in cryptocurrency by infecting approximately 500,000 devices.

Credential stealing is popular to gain access to a system and install background processes that steal cryptocurrency. The PowerGhost malware steals Windows credentials and then uses the popular EternalBlue exploit to spread to other Windows machines. It attempts to disable antivirus software along with any competing cryptomining software.

The cryptominer worm, Graboid, spreads across Docker containers open to the public internet without authentication. Graboid can then use Docker resources to mine cryptocurrency. It’s estimated that Graboid has infected over 2,000 Docker containers.

Good cryptojacking software throttles resource usage. MinerGate is programmed to stop running when a user is active on the local desktop. By shutting down during activity, users are less likely to detect malware on the system, leaving MinerGate active for longer on more machines.

Using open-source GitHub repositories, attackers can inject cryptojacking code into popular software. The attacker forks software in an attempt to look like a legitimate change is made to a code repository. It only requires a few lines of code to add cryptojacking, which can be successfully hidden among hundreds of other lines of code. When users download the new software version, the cryptojacking malware will spread across potentially thousands of machines, including corporate servers with extensive computing resources.

How to Prevent Cryptojacking

The most effective way to avoid cryptojacking is to avoid installing malware on your device. Should you download suspicious executables, good antivirus software should stop the malware from running, but this method is not reliable for all cryptojacking. Zero-day software is coded to evade detection and will even disable antivirus to prevent it from being removed.

For organizations, outgoing malware traffic can be detected and monitored. Firewalls can be used to stop outgoing traffic when malware needs to connect to an external server. When suspicious traffic is detected, monitoring software should send a notification to administrators to review a possible data breach.

On web pages containing cryptojacking, simply closing the web page fixes the issue. Resource usage spikes on a malicious cryptojacking page, so it can crash a computer before resources are exhausted. However, closing the browser tab that could be causing the resource drain will stop cryptojacking malware, and your device will return to its previous usage levels.