A crypto malware is a type of malware that allows threat actors to use someone else’s computer or server to mine for cryptocurrencies. It has become one of the most prominent malware types since 2017. Why?

Crypto malware’s rise in popularity probably has a lot to do with the fact that cryptomining is a resource-intensive process that jacks up a user’s electricity bill for one and uses up his or her computer’s processing power, disallowing other tasks to be performed at the same time. 


Read More about “Crypto Malware

Crypto Malware

A Brief History of Crypto Malware

The first crypto malware, which mined dogecoins using the Harvard University’s Odyssey computer cluster, was discovered in 2014. That discovery was soon followed by a similar attack that same year, albeit to illegally mine bitcoins, using the National Science Foundation (NSF)’s supercomputers.

But crypto malware actually made headlines only from 2017 onward, as cybercriminals doubled their effort to hijack insufficiently secured computers, servers, and even browsers to fill their own cryptocurrency wallets. One particularly interesting attack involved former U.S. Federal Reserve employee Nicholas Berthaume who illicitly mined for bitcoins using his employer’s computers.

The volume of crypto malware grew 4,000% from 500,000 in 2017 to 4 million in 2018. In 2019, two crypto malware variants that mined Monero coins—Coinhive and XMRig—were the most distributed malware worldwide. In the first half of 2020, five of the most commonly detected crypto malware variants were:

  • XMRig
  • JSEcoin
  • WannaMine
  • RubyMiner
  • NRSMiner

The figure below shows their distribution.

Source: Statista

How Does Crypto Malware Work?

Like any other malware, crypto malware infection begins with an innocent-looking email or web page. When you click a malicious link embedded in these communications, a crypto mining code gets downloaded onto your computer.

The crypto malware will then use your computer’s resources to mine cryptocurrencies without your knowledge. The process stays hidden in the background.

In other cases, it would only take a visit to the wrong website to get your computer resources exploited. Threat actors can inject malicious JavaScript on a web page that allows cryptocurrency mining on the devices of all site visitors. The image below reflects the infection process.

How Does Crypto Malware Work

Crypto malware attacks may target more than the victim’s computer or device resources. Threat actors are also increasingly using crypto ransomware to encrypt user data to extort money. The infection chain is relatively the same as other crypto malware attacks.

Cryptojacking and Crypto Malware: What’s the Difference?

Cryptojacking is the act of using crypto malware to use someone else’s computer for cryptomining illegally. It is usually done in the two ways described below.

In some cases, victims are tricked into installing a malicious cryptomining code into their computers through phishing-like tactics. The users receive a legitimate-looking email that encourages them to click a link. The link runs the code that installs the cryptomining script onto their computers. The script runs in the background every time the victims use their computers.

In other cases, cybercriminals inject a malicious script into a vulnerable website or ad that gets delivered to multiple sites. The script automatically runs when victims visit the infected website, or the infected ad pops up in their browsers. In this scenario, the malicious code does not get stored in the victims’ computers, making the malware hard if not impossible to detect.

The point is, regardless of the method used, the malicious code solves complex mathematical problems on victims’ computers and sends the solutions to a hacker-controlled server.

You can learn more about cryptojacking in this definition.

How Do You Protect against Crypto Malware Attacks?

Whether threat actors are after your resources or data, protecting your devices from crypto malware attacks is vital. Below are some of the security measures you can employ.

  • Don’t open emails from unknown senders.
  • Don’t click links or download file attachments without verifying their sources.
  • Disable JavaScript on your browser.
  • Enable ad blockers on your browser.
  • Make sure your devices have updated software.
  • Install antivirus and antimalware programs on your devices and regularly update them.

The first four best practices help you stay away from common vehicles threat actors use to distribute crypto malware. The last two tips can protect your device if crypto malware somehow make their way into your system.

Infamous Crypto Malware throughout the Years

We have seen various crypto malware make their way into victims’ computers over time. Some have gained infamy, such as:

  • PowerGhost: Known to infect corporate networks primarily in countries like India, Turkey, Brazil, and Colombia so that cybercriminals can get the biggest bang for their buck.
  • Graboid: The first crypto malware with wormlike capabilities that allow it to spread through unprotected containers in virtual networks. It has infected more than 2,000 Docker deployments by October 2019.
  • MinerGate: Notorious for its evasion tactic of halting its operation when the victim’s computer is in use. It detects mouse movements and pauses mining activities to avoid discovery.
  • BadShell: Uses Windows processes to evade detection. It uses PowerShell to inject the malware into running processes, Task Scheduler to keep running, and registries to store the malware’s binary code.
  • Facexworm: A malicious Chrome extension that uses Facebook Messenger to infect users’ computers. While it was initially an adware dropper, it now targets cryptocurrency exchanges and delivers malicious cryptomining code.
  • WinstarNssmMiner: Known for crashing a victim’s computer if it is removed.
  • CoinMiner: Notorious for seeking out and halting running cryptocurrency mining processes (if the victim is into mining, that is) so it can execute and deliver coins to its operator.

While cryptocurrency mining is not illegal, doing it using someone else’s computer or server is a malicious act. Spreading and profiting from infecting users’ computers with crypto malware can be considered a cybercrime and is punishable by law.

Other interesting terms…