What is Crypto Malware? - Check Point Software (2024)

How It Works

Blockchains use various consensus algorithms to ensure that the process of creating blocks is decentralized. In blockchains such as Bitcoin, Monero, and many others, the consensus algorithm used is Proof of Work (PoW).

In PoW, a valid block is defined as one whose header hashes to a value less than a particular value. Since hash functions are unpredictable, the only way to find a valid block is to try various options and try to get the right one. In the case of Bitcoin, the threshold is set so that the entire network working together will find a valid block every ten minutes on average. Whichever miner finds the valid block gets the reward.

Crypto malware infects a computer and uses it to perform the search for possible blocks. If the malware happens to find a valid block, the attacker can submit it and receive the reward.

Examples of Crypto Malware

Cryptomining malware has grown in popularity since it provides cybercriminals with a way to directly make money off of their control of a system. Some of the leading examples of crypto malware described in Check Point’s 2022 Cyber Attack Trends Mid-Year Report include:

• XMRig: XMRig is an open-source cryptojacking malware that is commonly incorporated into other types of malware. It is designed to mine the Monero or Bitcoin cryptocurrency.
• Rubyminer: Rubyminer was discovered in January 2018 and focuses on servers, both Windows and Linux. Rubyminer looks for vulnerable webservers and delivers XMRig to mine Monero.
• LemonDuck: The LemonDuck malware emerged in 2018 and uses various propagation methods, including malspam, vulnerability exploitation, and the use of compromised credentials to log in via RDP. In addition to mining cryptocurrency, it also harvests email credentials and delivers other malware to infected computers.
• Darkgate: Darkgate is a malware variant first discovered in December 2017 that primarily targets Windows systems. This malware combines multiple functions, including cryptomining, ransomware, credential stealing, and remote access trojan (RAT) functionality.
• WannaMine: WannaMine mines the Monero cryptocurrency. This cryptominer is a worm that spreads using EternalBlue and uses Windows Management Instrumentation (WMI) permanent event subscriptions to achieve persistence on a system.

How to Detect Crypto Mining Malware

Cryptomining malware is designed to consume significant processing power as it tries potential candidates for a block header. As a result, an infected computer may display one of the following two signs:

• Increased resource consumption.
• Slowness of computers and servers

How to Prevent Crypto Malware Attacks

Cryptomining malware can be profitable because it gives attackers access to a vast amount of processing power to use for mining cryptocurrency. However, this comes at the cost of the companies who foot the bill for the mining activity occurring on their systems. Some steps that a business can take to prevent its systems from being co-opted for cryptomining include:

• Patch Applications and Systems: Several cryptomining malware variants are delivered by exploiting vulnerabilities in an organization’s systems. Promptly applying patches to close these security holes can reduce the probability of infection.
• Virtually Patch with IPS: Patching every vulnerability is infeasible for most organizations. Intrusion prevention systems (IPS) can help to scale patch programs by blocking attempted exploits against vulnerable systems.
• Implement MFA: Use of compromised credentials on RDP or other remote access platforms is another common malware delivery vector. Implementing strong authentication and deploying multi-factor authentication (MFA) can make it more difficult for attackers to use these compromised credentials.
• Deploy Zero-Day Protection: Cryptomining malware can be a profitable business, and cybercriminals invest significant resources into evading detection. Zero-day malware detection capabilities are essential to preventing crypto malware from gaining access to an organization’s systems and stealing their resources.
• Secure the Cloud: Cloud-based systems are a common target for cryptominers due to their flexible, scalable processing power and limited visibility to IT teams. Companies must take special care to lock down these systems to protect them against cryptominers.

Check Point’s Harmony Suite and XDR platform

Cryptominers are one of several malware threats that companies are facing today. Learn more about the evolving cyber threat landscape in the 2022 Cyber Attack Trends Mid-Year report.

Check Point Infinity XDR and Harmony Endpoint provide defense-in-depth against cryptominers and other malware. XDR provides network-level threat visibility and centralized control across an organization’s entire IT architecture, and Harmony Endpoint identifies and remediates malware infections on the endpoint. Learn more about improving your organization’s defenses against crypto malware by requesting a free demo of Harmony Endpoint today.