At the present time, there is a lot of speculation in cryptocurrency. Users try to mine cryptocurrency everywhere, and even it gets harder to earn mining coins, the interest is very high. And it only costs for power.
So, no surprise, some people look for the ways how to mine by using other people’s power. Some of them do it by plugging in a 1900 watt, whisper quiet, terahash ASIC miner at work, while others attempt to reduce their chance of getting caught and mining coins in malware botnets. Mining botnets actually became very popular because they are more profitable than ransomware and less likely to be detected.
According to David Holmes at Security Week, crypto mining malware is not malicious and therefore it is hard to detect. However, if you look closer there are three assets being attacked, including system integrity, compute and power. Even though crypto mining malware is less harmful than ransomware or APT it is still a malware and can be detected by using same methods to detect any other malware.
So, how to spot mining malware?
1. Monitor the Network
Miners usually use mining pool platforms. For instance, Stratum likes ports 3333, 1333, 8333 etc. Advanced antivirus systems, decent “established-only” SNAT firewalls are supposed to block all incoming mining requests. Users also should be notified about all network anomalies such as using the same tools users would use for outbound inspection of any type of cyber threat. However, many of these connections are going to be encrypted and can require SSL inspection.
Peer-to-peer mining pools can apply DNS in order to locate hosts. Users that have a threat feed which combines common pool servers as Indicators-of-Compromise (IOCs) shouldn’t get infected. However, those who do not have IOCs, should use one, or they can detect the malware another way. When you find the infection, check its config for “pool_address” and watch for other devices or the network.
In addition, prevent employees run their own hardware cryptominers at their desks. The most effective way is to use the most secure network today; do not let unknown MAC addresses on the network.
2. Monitor Servers
Monitor your servers, make sure you are monitoring their CPU usage and temperature. If you notice that any device goes to 100% in the night and stays there, it could be a sign of a malicious miner. In addition, even if a malware does not use 100% of the CPU usage the load will stay constant, so you should monitor for that too.
There are tools that will provide users with the information of new files have been installed on servers.
3. Protect users via Block List
If your thread feed doesn’t have a list of those IoCs there are at least a couple of open-source ones maintained by Good Samaritans like @hobbygrafix: including uBlock and CoinBlockerLists.” D. Holmes wrote “There’s a cute little tool, Dr. Mine, that you can install in your browser that utilizes that threat feeds to do the same. Note, I haven’t tried it, but I acknowledge that it exists.
To conclude, users should take a step back and realize that cryptocurrency mining is just one more malware. In order to protect yourself from cryptocurrency mining, take same steps as you preventing any other types of malware. According to Security week, “Get back to the basics”.