Malicious cryptocurrency miners: Status and Outlook

Radhesh Krishnan Konoth1, Rolf van Wegberg2, Veelasha Moonsamy3, and Herbert Bos1

1 Vrije Universiteit Amsterdam, The Netherlands r.k.konoth@vu.nl, herbertb@cs.vu.nl 2 Delft University of Technology, The Netherlands R.S.vanWegberg@tudelft.nl 3 Radboud University, The Netherlands email@veelasha.org

Abstract. In this study, we examine the behavior and profitability of modern malware that mines cryptocurrency. Unlike previous studies, we look at the cryptocurrency market as a whole, rather than just Bitcoin. We not only consider PCs, but also mobile phones, and IoT devices. In the past few years, criminals have attacked all these platforms for the purpose of cryptocurrency mining. The question is: how much money do they make? It is common knowledge that mining Bitcoin is now very difficult, so why do the criminals even target low-end devices for mining purposes? By analyzing the most important families of malicious cryptocurrency miners that were active between 2014 and 2017, we are able to report how they work, which currency they mine, and how profitable it is to do so. We will see that the evolution of the cryptocurrency market with many new cryptocurrencies that are still CPU minable and offer better privacy to criminals and have contributed to making mining malware attractive again—with attackers generating a continuous stream of profit that in some cases may reach in the millions.

Keywords: malware, cryptocurrency mining, mobile phone, IoT

1 Introduction

A cryptocurrency is a digital asset designed to work as a medium of exchange. Bitcoin [19] became the first decentralized cryptocurrency in 2009. By design, cryptocurrencies need significant computational processing to validate transactions and add them to a distributed ledger (the blockchain), and networks of so-called miners therefore set themselves to the task of maintaining the working of Bitcoin. Incentivized by financial reward, cryptocurrency miners uphold the network by validating transactions. The financial reward serves as a compensation for the computing power needed to execute the aforementioned tasks. However, if one could steal or borrow computing power from others, the financial reward would grow significantly, since the system would generate income at little or no cost to the beneficiary. This is what motivated cyber criminals to experiment, as early as 2009, with using botnets of infected machines as silent cryptocurrency miners to maximize their profits.

For some time, in the days that banking trojans such as GameOver Zeus ruled cyber crime [33], cryptocurrency mining gained a certain amount of popularity among cyber criminals who were, after all, already in the business of compromising PCs and herding large numbers of them in botnets. In those days, we saw the first criminals infecting machines exclusively to steal CPU resources to mine Bitcoins on their behalf. However, after a few years already, the profits of the Bitcoin mining botnets dwindled as the mining became too difficult for regular machines and Bitcoin mining botnets fell into decline. Analyses by security companies in 2014 suggested that malicious miners are not profitable on PC and certainly not on mobile devices [15].

Banking trojans and later also ransomware became the cyber criminals’ workhorses. Both have drawbacks. For instance, cashout is tricky and researchers have shown that it is possible to trace even Bitcoin transactions [30,13,17]. Switching to more privacy-preserving currencies such as Monero or Zcash is not easy, because in many countries it is not possible to buy such currencies with normal bank accounts. Moreover, both banking trojans and ransomware tend to be noisy—users notice when money is stolen. After the theft, most bots are burned, as users clean up their systems to prevent further damage.

Botnets of cryptocurrency miners have no such disadvantages. A bot can easily mine privacy-preserving currencies, to make all profits untraceable. The theft is also stealthy, as no money transfers from the user’s bank account. The cost to the user is in a higher electricity bill and reduced computing performance. Moreover, rather than a one-time hit, the cryptocurrency miner can generate a continuous stream of income.

Finally, one main cause of the decline of cryptocurrency malware has disappeared: it is now profitable to mine cryptocurrencies with regular CPUs again. New cryptocurrencies are introduced all the time and, unlike Bitcoin, these are still mineable without specialized hardware. In fact, in this paper, we will show that even low-end IoT devices are interesting targets for crypto mining. The market now counts over 1,500 cryptocurrencies, out of which more than 600 see active trade. At the time of writing, they represent over 50% of the cryptocurrency market.

As many of these coins are CPU mineable and provide better privacy, the research question we ask is the following: has cryptocurrency mining become attractive to cyber criminals again?

To answer this question, we perform the first scientific study of the phenomenon of malicious cryptocurrency mining that goes beyond Bitcoin. Like the McAfee report [15] from 2014, a more narrow study by Huang et al. [11] of malicious Bitcoin miners between 2011 and 2013 found that Bitcoin mining was only marginally profitable. In the 3 years that followed, Bitcoin mining has become so hard that without specialized hardware, it is no longer practical at all. However, the world has changed and the number of alternative currencies has exploded.

In a single sentence in the conclusions, Huang et al. [11] speculated that such a change may make the mining activities profitable again, but leave this for future work. In this paper, we examine such alternative coins. We will look at malware in the wild by analyzing existing malicious cryptocurrency miners targeting different platforms for different currencies, and provide methods to detect them. We will see that in 2017 alone, four new families of malicious cryptocurrency miners have emerged. None of them mine Bitcoin. Moreover, we investigate to what extent the evolution of the cryptocurrency market made mining malware more practical and profitable. Our study shows that it makes economic sense for attackers to invest in this type of activity.

Contributions We make the following contributions:

We study how the growth of the cryptocurrency market and the growth in computation power of devices favors malicious cryptocurrency miners.
We assess the profitability of a criminal business models using malicious cryptocurrency miners, its likeliness of occurrence and impact.
We analyze existing malicious cryptocurrency miners to understand how they spread, what payload they use and how the cashout happens.

Outline The rest of the paper is organized as follows. In Section 2, we introduce and describe the basic terminology of cryptocurrency mining. Section 3 includes a detailed analysis of our data set of malicious cryptocurrencies that exist in the wild. A discussion on our findings and, importantly, an outlook for the future and detection mechanisms are presented in Section 4. In Section 5, we provide a brief overview of the literature review and finally conclude the paper in Section 6.

2 Background on Cryptocurrencies

A cryptocurrency is a medium of exchange much like the euro or the dollar, except that it uses cryptography and blockchain technology to control the creation of monetary units and to verify the transaction of a fund. Bitcoin [19] was the first such decentralized digital currency. A cryptocurrency user can transfer money to another user by forming a transaction record and committing it to a distributed write-only database called blockchain. The blockchain is maintained by a peer-to-peer network of miners. A miner collects transaction data from the network, validates it and inserts into the blockchain in the form of a block. When a miner successfully adds a valid block to the blockchain, the network compensates the miner with cryptocurrency (e.g., Bitcoins). In the case of Bitcoin, this process is called Bitcoin mining and this is how new Bitcoins enter circulation. Bitcoin transactions are protected with cryptographic techniques that ensure only the rightful owner of a Bitcoin address can transfer funds from it.

Since Bitcoin was created in 2009, around 1500 other types of cryptocurrencies have been introduced [9]. We commonly refer to these cryptocurrencies as alternative coins—altcoins, for short. Like Bitcoin, altcoins also use the blockchain technology and have a similar reward mechanism. However, each altcoin differs

in other characteristics, such as speed, traceability, and security. For instance, the Monero altcoin provides more privacy than any other currently existing cryptocurrency. With major industrial players such as J.P Morgan Chase, Microsoft, Intel, and Google backing some of these cryptocurrencies, altcoins are increasingly popular. Today, altcoins such as Ethereum, Ripple, Litecoin, Dash and Monero together make up a little over 50 percent of the total cryptocurrency market [3] while the rest is owned by Bitcoin.

2.1 Cryptocurrency Mining

To add a block (i.e., a collection of transaction data) to the blockchain, a miner has to solve a cryptographic puzzle based on the block. This mechanism prevents malicious nodes from trying to add bogus blocks to the blockchain and earn the reward illegitimately. A valid block in the blockchain contains a solution to a cryptographic puzzle that involves the hash of the previous block, the hash of the transactions in the current block, and a wallet address to credit with the reward.

In accordance with Satoshi Nakamoto’s original Bitcoin paper [19], the puzzle is designed such that the probability of finding a solution by a miner is proportional to the computational power. Additionally, the difficulty of solving the puzzle increases with the length of the blockchain. Consequently, a situation arose where mining for Bitcoin using a regular CPU was no longer profitable. Instead, miners started using, specialized mining hardware in ASICs and FPGAs.

2.2 Cryptocurrency Mining Pools

As mentioned, the probability of mining a block is proportional to the computational resources used for solving the associated cryptographic puzzle. Due to the nature of the mining process, the interval between mining events exhibits high variance from the point of view of a single miner. In other words, a single home miner using a dedicated ASIC is unlikely to mine a block for years. Consequently, miners typically organize themselves into mining pools. All members of a pool work together to mine each block, and share the revenue when one of them successfully mines a block.

The mining pool server assigns jobs to its members. To prove that a miner is contributing to solving the ultimate cryptographic puzzle, a miner submits this solution in the form of shares to the pool server. The pool server rewards the miner in proportion to the submitted number of valid shares.

2.3 Pool Mining Protocol

The protocol used by miners to reliably and efficiently fetch jobs from mining pool servers is known as Stratum [2]. It is a clear-text communication protocol built over TCP/IP, using a JSON-RPC format. Stratum prescribes that miners who want to join the mining pool first send a subscription message, describing the miner’s capability in terms of computational resources. The pool server

then responds with a subscription response message, and the miner sends an authorization request message with its username and password. After successful authorization, the pool sends a difficulty notification that is proportional to the capability of the miner—ensuring that low-end machines get easier jobs (puzzles) than high-end ones. Throughout this paper we will use the term high-end machine to describe a PC and low-end machine to describe both mobile devices and IoT devices, and Stratum ensures that even low-end machines may contribute to the mining process. Finally, the pool server assigns these jobs by means of job notifications. Once the miner finds a solution it sends the solution in the form of a share to the pool server. The pool server rewards the miner in proportional to the number of valid shares it submitted and the difficulty of the jobs.

For instance, a user with a low-end machine will receive a low difficulty, which means its miner solves puzzles with low difficulty. A high-end machine, on the other hand, should not solve such easy puzzles, because doing so would overwhelm the pool server with large numbers of shares per second. Instead, it will receive more difficult challenges that take approximately the same time as easy challenges on the low-end machine. Irrespective of a machine’s computational power, the miner’s reward will be proportional to the number of valid shares and their difficulty.

3 Malicious Miners

We created a collection of malicious cryptocurrency miners for different platforms (PC, mobile/Android, and IoT). Specifically, we collected 197 samples of 8 different families, which we believe are practically all the active families of malicious cryptocurrency miners in our evaluation period. We received the samples from VirusTotal⁴ (VT) and made a manual effort to ensure that we did not miss any relevant families, by analyzing as many blogs and forums that discuss crypto miners as we could find [21,29] and downloading all the samples based on the hashes mentioned in them. The majority of our dataset comprises of cryptocurrency miners that were active during the period of 2014–(August) 2017.

For PC platforms, we analyzed BitcoinMiner.J, Mal/Miner-C, BitCoin-Miner.hxao and Adylkuzz that target Windows, as well as SambaCry which targets Linux. For the mobile platform, we studied samples of the Kagecoin and BadLepricon families, which are affecting Android users. Lastly, we added an IoT-based malicious cryptocurrency miner named Shell.Miner, which appeared in 2017 and affected a variety of IoT devices. Table 1 provides an overview of our dataset.

In the remainder of this section, we analyze the characteristics of the malware samples in our experimental dataset and discuss how these characteristics are evolving along with the cryptocurrency economy, as well as with the computation power of both high- and low-end devices.

Family	Target Platform	VT: first seen	VT: last analyzed
BitcoinMiner.J	PC (Windows)	2009	2017
Mal/Miner-c	PC (Windows)	2014	2017
Kagecoin	Android	2014	2017
BitCoinMiner.hxao	PC (Windows)	2016	2017
BadLepricon	Android	2017	2017
Adylkuzz	PC (Windows)	2017	2017
Sambacry	PC (Linux)	2017	2017
Shell.Miner	IoT	2017	2017

3.1 Cryptocurrency mining on PCs

BitcoinMiner.J, Mal/Miner-c, BitCoinMiner.hxao, Adylkuzz and Sambacry are the main malicious cryptocurrency miner families that were actively targeting Windows and Linux OS from the year 2009 onward.

BitcoinMiner.J and BitCoinMiner.hxao use social engineering and phishing techniques to infect machines, while Mal/Miner-c and Adylkuzz use a worm component to spread and exploit other machines in the same network. Specifically, Mal/Miner-c exploits a design flaw in Seagate Central device [29] to infect other machines in the same network, and Adylkuzz uses the exploit for Microsoft SMB vulnerability [26] dumped by the Shadow Brokers in the beginning of 2017. Similarly, SambaCry targets Linux machines exploiting a vulnerability in an older version of Samba [7].

Coin mining The Mal/Miner-c malware contains three components that can be used for mining Monero (XMR) coins: NSCpuCNMine32.exe, NSCpuCNMine64.exe and NSGpuCNMine.exe. After inspecting the CPU type and GPU of the victim’s device, it selects the most suitable one to mine coins efficiently.

Through manual analysis and code comparison, we discovered that, in general, the miner components are just obfuscated versions of CPUminer and are freely available[5]. Prior to mining, the miner downloads a configuration file from the C&C server. This file contains pool server details that the miner should use and the address of the wallet to which the mined coins should be credited. Moreover, the miner uses the Stratum protocol to communicate with the pool server of a mining pool. These mining pools are legitimate mining pools that can be used by anyone willing to contribute their computation power to mine coins.

The cryptocurrency miner version of Adylkuzz surfaced only around May 2017. Through manual analysis of all available samples, we discovered that the miner component of this malware is a packed version of CPUminer (version 2.3.3), which is open source. After the infection has taken place, the miner contacts the C&C server for the configuration file, which contains information on what coin to mine and which pool server to use. This miner was also mining (privacy-friendly) Monero coins by connecting to a legitimate Monero pool server. Moreover, it had two versions of the miner embedded in the binary, one for 32-bit systems and another for 64-bit systems.

The BitcoinMiner.hxao cryptocurrency miner uses social engineering and phishing techniques to infect users. After infecting the device, the main component of the malware installs the miner component as a Windows background service. By reverse engineering the available samples, we discovered that this miner component is MinerGate Admin edition(^6), which is mining software for MinerGate mining pool users. Even though the pool supports various altcoins, the malware is configured to mine the same untraceable Monero coins. Anyone can register to this pool using a valid email address. Then, to mine a cryptocurrency, the user can run this mining software on any device by just specifying her email and the pool URL. Finally, the user can withdraw the mined coins from her wallet address by signing into her pool account. While we found the email address that is being used by these malware samples, without knowing the password of the account, we cannot find how much Monero this group of cyber criminals managed to mine.

The Sambacry cryptocurrency miner takes over Linux servers to also mine Monero coins by exploiting a Samba remote code execution vulnerability. After successful execution on the server, it installs a backdoor which gives the attacker shell access to the server. Using this access, the attacker uploads and execute two files: INAebsGB.so and cblRWuoCc.so. The INAebsGB.so file makes sure that the attacker has a persistent access to the machine. Meanwhile, the other file – cblRWuoCc.so, downloads the open source version of CPUminer. The wallet address where the mined coins should be added and the pool server that should to be used by the miner were hard-coded in the binary. Using these information, an analyst could find how many coins this malware mined so far.

Cash out Prior research [29] on Mal/Miner-c aimed to find out how many coins the malicious miner was able to mine using the APIs provided by the Monero pool server. According to the author, the mining pool paid 58,577 Monero (XMR) to the attacker’s wallet. Note that, when the malicious attack was launched, the price of one XMR was 1.5 USD and at the time of writing this paper (September 1, 2017), one XMR was valued at 140 USD—making the value of the mined XMR by this campaign some 8,200,780 USD, today.

Moreover, an independent investigation on BitcoinMiner.hxao [16] showed that a campaign managed to mine 2,289 XMR which is equivalent to 320,460 USD today.

Another study [21] analyzed Adylkuzz and estimated that a campaign which took place in 2017 managed to mine 1,570 XMR using 3 different wallet addresses in a period of three weeks. However, there is a high probability that there might be more campaigns that are using different wallet addresses. Hence there is no certainty about the total coins mined by Adylkuzz. Today, the value of the Monero coins mined by this campaign is at least 220,000 USD.

Lastly, according to [14], SambaCry mined 98 XMR in a month using a single wallet address. To date, the value of the Monero coins mined by this campaign is 13,720 USD.

3.2 Cryptocurrency mining on Android

BadLepricon and Kagecoin were two cryptocurrency miner families targeting Android and whose apps were found in the Google Play store disguised as wallpaper apps. Additionally, a version of Kagecoin spread through third-party stores as a repackaged app.

Coin mining Based on the samples from our dataset, we found that BadLepricon was mining Bitcoins whereas Kagecoin focused on altcoins such as Litecoin, Dogecoin and Casinocoin. Different cryptocurrencies use different proof-of-work (PoW) algorithms, hence the apps need to implement these algorithms in order to mine for that particular coin. All the mining apps for Android available today are using the open source version of CPUminer that supports different PoW algorithms. Moreover, in the case of Android, we observed that to reduce the overhead, cyber criminals combine it with open source CPU miner code for ARM, which they embed in apps as native code.

After fulfilling the advertised functionalities of the app, BadLepricon enters into an infinite loop where every five seconds it checks the battery level, network connectivity, and the display status (to see if the phone’s display is on). While it almost seems as if it performs these checks as a courtesy to the user’s phone, in reality it helps the malware to fly under the radar and survive longer. Firstly, when left unsupervised, mining algorithms can damage a phone by using excessive processing power which ultimately burns out the device. In order to avoid this, BadLepricon makes sure that the battery level is running at over 50 percent capacity, the display is turned off, and the phone network connectivity is on. Secondly, monitoring the phone’s battery status is a good way of hiding your activities. BadLepricon also uses the WakeLock permission—an Android feature that makes sure the phone does not go to sleep even when the display is turned off.

For Kagecoin, the miner component starts as a background service. Since cryptocurrency mining is a CPU intensive operation, it could run down the battery of the device very quickly. The first version of Kagecoin (ANDROIDOS-KAGECOIN.HBT) did not have any mechanism to hide this behaviour from the user. However, the second version of the malware only mines when the phone is in its charging state, so that most users will be oblivious to any suspicious activities taking place on their device.

Cash out In order to control millions of bots, the malware author may use a proxy to set up one point of contact. BadLepricon uses a Stratum mining

proxy \cite{28} that allows an attacker to change mining pools dynamically. This makes it difficult for analysts to find out the attacker’s wallet address. Even so, \texttt{Kagecoin} uses a different strategy—it has a component to update the configuration of the bot which describes the coin to be mined, the attacker wallet address and the pool to which to connect. In either case, the attacker consolidates the mined coins in a single wallet and then exchanges them for money using cryptocurrency exchanges.

3.3 Cryptocurrency mining in the IoT

While going through the samples downloaded from VirusTotal, we found a family of malware explicitly targeting Raspberry Pi devices. This malware was first uploaded to VirusTotal in August 2017. Kaspersky classified it as \texttt{Shell.Miner}. As a side note, in 2014 Symantec reported a malicious cryptocurrency miner version called \texttt{Darlloz} which also targetted IoT devices—more specifically, IP cameras. However, we were unable to find a sample of this malware for our analysis today.

To facilitate its propagation, \texttt{Shell.Miner} scans the IoT network for Raspberry Pi devices that are using default usernames and passwords. After pwning the device, it installs the open source version of CPU miner and then changes the password.

Coin mining

Through manual analysis, we found that \texttt{Shell.Miner} uses a popular open source miner called \texttt{cpuminer-multi} to mine Monero cryptocurrency. We also found the pool information and the attacker’s wallet address which are hardcoded in the shell script. The pool server used by this malware is \texttt{xmr.crypto-pool.fr} (Figure 1).

We used a feature provided by the pool server to find out how many XMR were rewarded to this address by the mining pool. Figure 1 shows that the botnet is still actively mining Monero coins for the attacker at the time of writing this paper. We contacted the administrator of this pool and asked them to block the suspicious wallet address. It should be noted that this botnet is generating 2400 H/s (hashes per second), where one Raspberry Pi can only generate 8 to 10 H/s. This means that for this wallet, the botnet comprises some 3000 machines or more that are also being targeted by the same cyber criminal group.

Cash out

Figure 1 shows that the criminals managed to mine 45 XMR with an accumulated hash rate of 2400 H/s. Since Monero’s dollar value as of 01 September 2017 was 140 USD, this means the attacker received 6,300 USD in three months and paid to this wallet address.

For contrast, Symantec reported that \texttt{Darlloz} mined 42,438 Dogecoins (approx. 46 USD in 2014) and 282 Mincoins (approx. 150 USD in 2014) using an open source miner software. It should be noted that the value of these cryptocurrencies and mining difficulty of Dogecoin was very low in 2014, and that the price of Dogecoin increased by 976 percentage within three years. Therefore, it is only logical and most rewarding for the cyber criminals to mine coins with very low difficulty and keep it in the wallet till the currency value goes up.

4 Outlook

The advantages of malicious mining Malicious cryptocurrency mining started as early as 2009—the year that Bitcoin was introduced. In the years that followed, most criminals focused on banking trojans such as SpyEye and (GameOver) Zeus. But mining malware also gained popularity among cyber criminals who were, after all, already in the business of compromising PCs and herding large numbers of them in botnets.

Meanwhile, other criminal activities also rose in popularity, especially ransomware—malware that encrypts a user’s data and holds it hostage until the user pays the ransom money. Compared to banking trojans, they were less visible to the banks and the police. Specifically, the ransom amounts were small and all money transfers were legitimate as far as the banks were concerned, and initiated by the users themselves. From previous studies [20], we know that around 3 percent of the victims pay the ransom—some 300 USD in Bitcoin. Thus, the scheme revolves around the infection of many machines storing valuable user data. Moreover, the payout per infection is a one-time amount of a few hundred dollars. After that, many bots are ‘burned’ as users typically clean up their systems to prevent further damage. Additionally, ransomware is noisy: if many people get infected, many people talk about it [25,23,22]. Attracting attention is not always good for the criminals.

No such limitations exist for cryptocurrency mining: a bot can easily mine less common privacy-preserving cryptocurrencies to make all transactions untraceable from the start. Modern miners are now starting to target exactly these kinds of cryptocurrencies.

Useful information for enthusiasts:

[1]YouTube Channel CryptoDeepTech
[2]Telegram Channel CryptoDeepTech
[3]GitHub Repositories CryptoDeepTools
[4]Telegram: ExploitDarlenePRO
[5]YouTube Channel ExploitDarlenePRO
[6]GitHub Repositories Keyhunters
[7]Telegram: Bitcoin ChatGPT
[8]YouTube Channel BitcoinChatGPT
[9] Bitcoin Core Wallet Vulnerability
[10] BTC PAYS DOCKEYHUNT
[11] DOCKEYHUNT
[12]Telegram: DocKeyHunt
[13]ExploitDarlenePRO.com
[14]DUST ATTACK
[15]Vulnerable Bitcoin Wallets
[16] ATTACKSAFE SOFTWARE
[17] LATTICE ATTACK
[18] RangeNonce
[19] BitcoinWhosWho
[20] Bitcoin Wallet by Coinbin
[21] POLYNONCE ATTACK
[22] Cold Wallet Vulnerability
[23] Trezor Hardware Wallet Vulnerability
[24] Exodus Wallet Vulnerability
[25] BITCOIN DOCKEYHUNT

Contact me via Telegram: @ExploitDarlenePRO