Since 2015 ransomware has presented cybercriminals with the easiest and most effective method to take money from unsuspecting users and organizations. Before this, other cyber threats have had their moment in the sun: worms, phishing, fake antivirus, and banking trojans are just a few examples. But as fashions and seasons change so do the tactics of criminals.
New threat intelligence gathered and analyzed by Recorded Future’s elite Insikt Group researchers has yielded some significant new insights into the latest method to target weakened systems. This investigation uses information from a wide range of sources and has identified malicious cryptocurrency mining as a long-term, low-velocity revenue source for these threat actors. This analysis also uncovers the opportunity that mining malware presents to rogue nation states like North Korea and explores how they may already be employing this technique.
Recent Cybercrime History
Fraudulent bank transfers remain, by some distance, the most profitable method for cybercriminals. However, these operations are more complex to execute, requiring threat actors to work with developers of web-injects and automatic money-transferring malware. To get to the stolen and laundered funds then relies on potentially dishonest intermediaries. All of this means operational outcomes for banking malware are, to say the least, uncertain.
Against this landscape, ransomware presented a much more straightforward and less risky method. Fueled by the growing adoption of bitcoins, a truly global and entirely untraceable payment method, chances of a successful outcome became very binary. Either infected victims will pay or they won’t, but if they do, all the money goes straight into the attackers wallet. As new vulnerabilities continued to be uncovered, ransomware became a fixture of the already-established exploit kit distribution network.
In recent years the sophistication and damaging effects of ransomware have evolved to an unstoppable, global epidemic, capable of crippling the economy and costing hundreds of millions of dollars in losses to public and private organizations. In the wake of the unprecedented WannaCry and NotPetya campaigns attackers saw growing media attention and increased “heat” from law enforcement. This led more acutely aware threat actors to begin searching for the new “big idea” which could generate a steady income stream without all of the inherent risk.
Mining malware hides itself while using the victim’s processing power to mine cryptocurrencies. The first samples of this began appearing in 2013, but threat intelligence from our analysis revealed it was in the second half of 2017 that it gained popularity among members of the criminal underground. By then, dozens of vendors were offering various types of mining malware, ranging in price and functionality.
The profitability levels of mining malware are directly related to how long it remains undetected, leading threat actors to employ crafty techniques to hide this activity from users. It will typically be hidden from the Task Manager and immediately relaunched if deleted. Variants that depend on graphics processors will even terminate the mining process if a videogame is run on the computer to avoid detection.
Analysis of bitcoin wallets and conversations in criminal communities confirms the increasing prevalence of this kind of malware. In one instance a hacker expressed extreme satisfaction with the results of a trial infection:
“I’ve used ‘bots’ already under my control to upload 110 miners before going to sleep. By the time I woke up 108 were still alive, which took me by surprise. I expected a half would be dead by then.”
In attempts to stand out among the competition and answer the demand from customers, developers began expanding their products, in some cases adding various key-logging and data intercepting functionality.
Nation-State Participation: North Korea
While our research did not identify any North Korea-specific cryptocurrency mining malware, given North Korea’s demonstrated interest in both legally and illegally procuring cryptocurrencies, it is likely that the regime will employ mining malware in the near future if is has not already. North Korean threat actors have prior experience in assembling and managing botnets, bitcoin mining, and cryptocurrency theft, as well as in custom-altering publicly available malware; three elements that would be key to effectively creating and managing a network of covert cryptocurrency miners.
Technical Analysis of Mining Malware
We obtained a feature-rich mining malware called “1ms0rry MINERPANEL,” which is sold across the criminal underground. The product comes in several packages ranging in price from $35 to $850. While the “ Premium” version offers barebone functionality, without access to command and control (C2) panel, the most comprehensive and expensive “Source” version includes the source code for the malware. Our evaluation was of the “Extended” version sold for $100 and offering a range of features including the C2 panel. In addition to all of the required installation files, a software that joins multiple files together into one payload and a step-by-step guide for building and deploying the miner was provided.
You can find the full technical analysis of the mining malware, as well as more research and information on this new type of cyberthreat in the report, “Proliferation of Mining Malware Signals a Shift in Cybercriminal Operations” written by our Insikt Group research team.