Site icon Sophos News

Cryptomining criminals under the spotlight – a SophosLabs report

Remember cryptojacking?
That’s where websites would insert JavaScript software that mined cryptocurrency into web pages that you visited so that as long as you stayed on the page, your computer would be churning away, mining cryptocoins…
…on behalf of someone else.
Cryptojackers didn’t need to hack thousands of computers and install malware on every one of them – they could hack one web server and potentially run their money-making JavaScript software in thousands or even millions of browsers as innocent visitors visited that website.
In short, cryptojacking was a surprisingly simple, cross-platform, cloud-based way to steal other people’s processing power.
There was even a short-lived attempt to commercialise (and therefore to legitimise) cryptojacking, where websites could invite you to opt in to receive cryptomining JavaScript as you browsed in lieu of paying a subscription fee or as an alternative to ads.
But the system never worked out and has almost entirely been abandoned now by cybercrooks and legitimate websites alike.
The main snag was that browser-based cryptomining needed so much CPU power that any website that tried it became as good as unusable by visitors, whose browsers would bog down completely (and whose laptop cooling fans would fire up noisily in complaint), all in return for a negligible cryptocoin payout.
The economics just didn’t work out.
Visitors learned to avoid websites that tried to use it; most anti-virus software routinely started stripping out cryptocoin mining JavaScript anyway; the best-known service trying to commercialise browser-based mining shut down; and that, for many people, was that.


Because of the failure of browser-based cryptojacking in both its legitimate and criminal forms, it’s easy to assume that unlawful cryptomining has died out altogether and that cybercrooks have dropped this sort of attack from their arsenal entirely in favour of bigger money-earners such as ransomware and data theft.
Sadly, however, unlawful cryptomining is still a thing, and SophosLabs has just published a report that follows the evolution and operation of the cybercrime gang behind a botnet known as Kingminer.

Botnets, also known as zombie networks, are collections of infected computers that regularly call home to a single group of crooks to await further instructions, meaning in theory that the crooks who control a botnet could use the computers ensnared in it for almost any cybercriminal activity they wanted.
That could include stealing data, watching you on your webcam, snooping on your typing and browsing, sending out vast volumes of spam, using your computer as a jumping-off point to attack other people…
…or operating a giant pool of cryptomining computers.
Cryptomining seems to be the top activity in the Kingminer gang’s playbook, and they’re not targeting home users with laptops but instead going after company networks and all the computers on them.
Even with offices in many countries closed due to coronavirus regulations, company networks are still running, and those networks often contain lots of juicy servers that make an attractive target for cryptomining malware.
After all, servers have two desirable properties for cryptomining abuse, namely that they’re always on, so any unauthorised mining runs 24/7, and they’re usually much more powerful than the average laptop, so the crooks can dial in decent earnings without taking over the server so completely that they get noticed.

The Kingminer gang

The new Kingminer report makes fascinating reading because it delves into the malware delivery system that the crooks in this gang have been evolving and using for several years now.
In the report, you will:

Learn more by reading the full report.


Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Exit mobile version