NEW

2024 True Cost of a Security Breach

Arrow pointing right
ExtraHop Logo
  • Productschevron right
  • Solutionschevron right
  • Why ExtraHopchevron right
  • Blogchevron right
  • Resourceschevron right

Cryptomining Malware: Definition, Examples, and Prevention

Risk Factors

Likelihood

Complexity

Business Impact

What is Cryptomining?

Cryptomining malware, or 'cryptojacking,' is a malware attack that co-opts the target's computing resources in order to mine cryptocurrencies like bitcoin. This malware uses a systems CPU and sometimes GPU to perform complex mathematical calculations that result in long alphanumeric strings called hashes.

These calculations serve to verify previous cryptocurrency transactions, and successfully solving them can generate a token of currency (like bitcoin). The process serves a dual purpose: limiting the total amount of currency created and checking previous transactions to prevent fraud (primarily double spending).

There are many different methods for getting the malware onto a target computer, like code embedded in a website or a classic email phishing attack. Once in place, the malware can be difficult to detect as it runs in the background.

Examples of Cryptomining Attacks

PowerGhost

Powerghost uses the EternalBlue exploit to spread and "fileless" techniques to avoid detection.

Graboid

Graboid is a cryptomining worm which uses Docker Engine containers to spread.

BadShell

Badshell uses fileless techniques and hides in Windows processes.

Protection Against Cryptomining Attacks

Attacks that run within a browser are easily stopped by just closing the browser tab, but cryptomining malware is more difficult to root out. Malware can be difficult to detect on endpoints and can run on computers, smartphones, or IoT devices.

How do you distinguish it from all the legitimate processing happening across endpoints? Cryptomining involves extended open connections with a compromised endpoint. Monitoring the network for unusually long connections is one method of detection.

Network detection and response uses machine learning to understand behaviors on the network, allowing it to recognize cryptomining tells—like when an outbound connection is made in order to send the currency to the attacker or when cryptomining protocols like Stratum are used.

Cryptojacking is a relatively new attack, but one that is gaining popularity amongst bad actors. Initially, browser-based cryptojacking was the primary method of hijacking resources but declined sharply after Coinhive shut down in 2019.

Getting malware running on a device is an increasingly prevalent means of attack. One example is the Mirai botnet, which has reportedly been used for cryptomining.