Skip to content
Naked Security Naked Security

Cryptomining criminals under the spotlight – a SophosLabs report

A new SophosLabs report takes you inside a cryptomining gang.

Remember cryptojacking?
That’s where websites would insert JavaScript software that mined cryptocurrency into web pages that you visited so that as long as you stayed on the page, your computer would be churning away, mining cryptocoins…
…on behalf of someone else.
Cryptojackers didn’t need to hack thousands of computers and install malware on every one of them – they could hack one web server and potentially run their money-making JavaScript software in thousands or even millions of browsers as innocent visitors visited that website.
In short, cryptojacking was a surprisingly simple, cross-platform, cloud-based way to steal other people’s processing power.
There was even a short-lived attempt to commercialise (and therefore to legitimise) cryptojacking, where websites could invite you to opt in to receive cryptomining JavaScript as you browsed in lieu of paying a subscription fee or as an alternative to ads.
But the system never worked out and has almost entirely been abandoned now by cybercrooks and legitimate websites alike.
The main snag was that browser-based cryptomining needed so much CPU power that any website that tried it became as good as unusable by visitors, whose browsers would bog down completely (and whose laptop cooling fans would fire up noisily in complaint), all in return for a negligible cryptocoin payout.
The economics just didn’t work out.
Visitors learned to avoid websites that tried to use it; most anti-virus software routinely started stripping out cryptocoin mining JavaScript anyway; the best-known service trying to commercialise browser-based mining shut down; and that, for many people, was that.

Because of the failure of browser-based cryptojacking in both its legitimate and criminal forms, it’s easy to assume that unlawful cryptomining has died out altogether and that cybercrooks have dropped this sort of attack from their arsenal entirely in favour of bigger money-earners such as ransomware and data theft.
Sadly, however, unlawful cryptomining is still a thing, and SophosLabs has just published a report that follows the evolution and operation of the cybercrime gang behind a botnet known as Kingminer.

Botnets, also known as zombie networks, are collections of infected computers that regularly call home to a single group of crooks to await further instructions, meaning in theory that the crooks who control a botnet could use the computers ensnared in it for almost any cybercriminal activity they wanted.
That could include stealing data, watching you on your webcam, snooping on your typing and browsing, sending out vast volumes of spam, using your computer as a jumping-off point to attack other people…
…or operating a giant pool of cryptomining computers.
Cryptomining seems to be the top activity in the Kingminer gang’s playbook, and they’re not targeting home users with laptops but instead going after company networks and all the computers on them.
Even with offices in many countries closed due to coronavirus regulations, company networks are still running, and those networks often contain lots of juicy servers that make an attractive target for cryptomining malware.
After all, servers have two desirable properties for cryptomining abuse, namely that they’re always on, so any unauthorised mining runs 24/7, and they’re usually much more powerful than the average laptop, so the crooks can dial in decent earnings without taking over the server so completely that they get noticed.

The Kingminer gang

The new Kingminer report makes fascinating reading because it delves into the malware delivery system that the crooks in this gang have been evolving and using for several years now.
In the report, you will:

  • Learn how the crooks get into your network in the first place. These crooks seems to favour brute-force password attacks against RDP and SQL servers, combined with unpatched exploits such as BlueKeep (a way to break in to vulnerable RDP servers without a password) and ETERNALBLUE (a way into Windows networking without a password).
  • Learn how the crooks guard their turf. These crooks make sure you are patched against BlueKeep once they’re in by downloading and installing any missing updates for you. This stops rivals following them onto your network later.
  • Learn how the crooks download their latest attack tools. The crooks employ what’s called a domain generation algorithm (DGA) that automatically comes up with a new website name to use for downloads each week. Unless you know the DGA, it’s hard to guess what download names the crooks will be registering and using for their next attack. They also make use of popular software distribution sites like Githhub to host their attack software, moving onto to new accounts as the old ones are identified and shut down.
  • Learn how the crooks launch their chosen cryptomining code. This gang uses a variety of tricks to download and launch their final malware payload. For example, instead of loading their malware programs directly, they’ll install legitimate programs and trick those programs into loading their malware files as DLLs. Or they’ll create malware to look like a Control Panel applet so it can be loaded by an official Windows program instead.
  • Learn how the crooks are keeping their options open. SophosLabs was able to dig around amongst the other tools that the Kingminer gang currently have up their sleeves. Although their activities seem to go mainly around illegal cryptomining, our researchers found they have an unhealthy interest in remote access and backdoor Trojans, Linux malware and password stealing tools, too.

Learn more by reading the full report.

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.


Domain-based protections such as Umbrella might be able to help. I haven’t used it, but as I understand it, they can be used to catch domain queries for fast flux domains. I believe tools like that can block requests for all domains registered in the past 24 hours, for example.


Various products and services do that sort of thing to try to protect you from “new badness”. SophosLabs, for example, uses the newness of a domain registration (amongst other attributes) as part of judging its reputation.
Of course, there’s a problem with un-nuanced blanket rules such as “make domains wait 24 hours” is that crooks are passed masters at gaming known and specific limits – just like in the early days of spam filtering where ISPs regularly adjusted set rate limits on email sending so the spammers would adjust their spamming engines so they were *just* under the threshold every time.
For example, if they know you use 24 hours as your DNS deadlne, they’ll wait 25 hours; you might bump your limit up again; so will they – and in the end you will reach a limit that gets in the way of normal internet use and you’ll have to dial the threshold back, and they’ll follow you down again, and so it goes on.


It’s definitely a cat and mouse game, but when DNS is used to deceive defenses by quickly shuffling in IPs before they can be recognized as bad, tools like this can help, even if they are un-nuanced.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!