This post by Roger Park originally appeared in VMware Security on February 23, 2022.
Cybercriminals are setting their sights on organizations to secretly mine cryptocurrencies with Linux-based multi-cloud environments becoming prime targets, according to “Exposing Malware in Linux-Based Multi-Cloud Environments,” a report conducted by the VMware Threat Analysis Unit.
This post highlights some key analysis of the cryptomining components used in recent cryptojacking attacks, techniques deployed, and how the threat can be detected and mitigated.
Mining Monero (XMR)
There are typically two approaches to cryptojacking attacks: cryptocurrency wallet-stealing malware or monetizing stolen CPU cycles to mine the digital currencies.
The report found that most cryptojacking attacks focus on mining the Monero cryptocurrency (or XMR) within Linux-based multi-cloud environments, with the majority using XMRig-related libraries.
Why mine Monero?
This digital currency is attractive because Monero is known as a privacy coin (hiding the identity of users, amount of each transaction, etc.). Furthermore, unlike mining Bitcoin, mining Monero can use the CPU or GPU cycles of ordinary computers.
“It’s just very simple to just drop some variation of the XMRig open-source miner and start the monetization process. This is particularly well-suited during the exploitation of misconfigured container management software, such as Docker or Kubernetes,” said Giovanni Vigna, senior director of threat intelligence, VMware.
XMRig and mining pools
The common application used to mine Monero is the open-source XMRig miner. While XMRig can mine other cryptocurrencies, it is mainly used to mine Monero.
“We developed FLIRT signatures for the libraries used by XMRig when compiled on various Linux distributions. We also developed Go module detectors to identify relevant crypto-related modules,” explains Vigna. “When we checked for the presence of these components (written in both C/C++ and Go), we found that 89 percent of cryptominers used XMRig-related libraries.”
The report also identified some of the most-used mining pools used by cryptojackers. By joining a mining pool, the malware can contribute to the overall mining process and share the benefits of collective mining—the computing power of a single host would likely be insufficient to achieve any meaningful results.
Other cryptominer families examined in the report included Omelette, WatchDog and Kinsing.
Targets and tactics
The report found that defense evasion is the most used technique by cryptominers. In terms of methods and tactics used, the techniques cryptominers used to obfuscate data are more diversified in comparison to ransomware samples analyzed in the report. These samples also used packing and dynamically generated code more extensively with respect, for example, to ransomware, as the cryptominer’s goal is to stay under the radar for as long as possible while stealing precious CPU cycles.
Mitigating the Cryptomining Threat
Cryptojacking attacks might result in higher energy bills, stalled operations, or higher cloud computing bill costs. However, these attacks are often difficult to detect because they do not entirely disrupt the operations of cloud environments, like ransomware does, or raise alarms, like a data breach might when unauthorized or anomalous access to sensitive data is detected.
The best way to detect cryptojacking attacks, according to the report, is to use network traffic analytics (NTA) to identify internal hosts that are communicating the results of mining work to the outside since this communication is required to monetize the attack. The communications to look for are connections to mining pools. However, many cryptomining malware samples connect to a command-and-control host that acts as a network proxy to avoid being detected. More sophisticated anomaly detection techniques are necessary to identify the threat in these cases. For example, one might look for connections to the outside world from hosts that historically never connected to the outside world.
The report recommends that EDR solutions may also be able to identify abnormal CPU usage patterns, which can be directly associated with the calculations related to blockchain mining. The concerted monitoring of cloud environments, using both host-based and network-based detection techniques, can help keep these attacks at bay.
Get more detailed analysis and insights
These are just a few highlights on the cryptominers analysis covered in “Exposing Malware in Linux-Based Multi-Cloud Environments”, as the report also delivers a comprehensive look at ransomware and remote access tools.
About InfoSystems
For over 25 years, InfoSystems has provided reliable IT solutions to build and maintain strong and secure systems for both SMB and enterprise organizations. Headquartered in Chattanooga, TN, our trusted team of experts specialize in traditional infrastructure, IT optimization and cybersecurity services, as well as next gen solutions such as hybrid cloud and automation, from partners such as IBM, Red Hat, Dell Technologies, Microsoft and VMware.
