Hackers are now using software developed by the US National Security Agency (NSA) to illicitly mine cryptocurrencies. According to a recent report released by the Cyber Threat Alliance (CTA), compiled by a collective of cyber-security experts from McAfee, Cisco Talos, NTT Security, Rapid7 and Sophos, among others, crypto mining malware detections have jumped to over 400 percent within the past one and a half years.

Malicious actors are hijacking computer processor resources via internet network infrastructure intrusions, and computer hacks, among other means. One of the more worrying trends is the use of an NSA exploit leaked early last year by Shadow Brokers dubbed EternalBlue.

Soon after the release of its source code, cybercriminals used the tool to launch a devastating ransomware attack dubbed WannaCry, which led to over 200,000 computers being infected in over 100 countries. The British National Health Service (NHS) was one of the institutions targeted by the attack and experienced a network shutdown as a result.

According to new reports, the same exploit is being used to harness crypto mining power using malware called WannaMine. Computers that have been infected can become slow or experience hardware overheating issues. However, some attacks are more sophisticated. They monitor mouse or CPU usage, and automatically pause operations when processing power goes beyond a certain threshold.

This feature makes them harder to detect, allowing them to persist and ultimately generate greater returns for cyber-criminals. Generally, EternalBlue malware infections are hard to detect because of their ability to work without downloading secondary application files.

How the WannaMine Crypto Mining Malware Works

WannaMine is the most notorious EternalBlue-based crypto mining malware. It has been found to spread through various means. One of those is by internet users downloading counterfeit software from unofficial sources, email attachments, and by offering misleading software update prompts.

It relies on Windows management tools for its operations and camouflages itself within legitimate processes. As such, it doesn’t work on Android or iOS devices. However, it allows a hacker to download and upload files to a computer, enumerate running processes, execute arbitrary commands, gather system-specific information such as IP addresses and the computer name, and allows the intruder to change some device settings.

Wannamine typically uses Mimikatz, a Windows hack tool used to ‘crack’ software, to gain more system control. Originally developed by Benjamin Delpy, Mimikatz can access a computer’s passwords via its memory and enslave it to a botnet. It also has the ability to export security certificates, override Microsoft AppLocker and processes related to Software Restriction Police, as well as modify privileges.

Cryptojacking Statistics

The cryptojacking practice is apparently rampant and last November, statistics released by AdGuard indicted that more than 33,000 websites with a total of over 1 billion monthly visitors had cryptojacking scripts. Most didn’t bother to warn users about this. Monero is said to be the preferred cryptocurrency for cryptojacking actors mainly because of its pseudonymization features and ability to be mined using medium to low-end computers.

In February, over 34,000 websites were found to be utilizing CoinHive’s JavaScript miner, which is also used to mine Monero. This was according to statistics derived from the PublicWWW search database, which can be used to reveal JavaScript snippets on websites.

The CoinHive miner is a largely legitimate way of undertaking in-browser mining. Currently, only about 19,000 web pages are listed as featuring the Coinhive code. The sharp drop in websites utilizing the miner is probably in correlation with declining mining profitability.

Away from Coinhive, the Smominru Monero miner has been found to be the most active in the wild, and is spread using the EternalBlue exploit. Its usage was first detected in May last year, and at the time, actors behind it were reportedly mining $8,500 worth of Monero in a week. Their botnet network consisted of over 526,000 infected nodes, which appeared to be servers located in Taiwan, Russia, and India.

Protection Against Crypto Mining Attacks

It is easy to protect a PC against EternalBlue-based mining malware attacks by regularly updating windows and carrying out a virus scan using Windows Defender Antivirus. PC users should also avoid using ‘cracked’ software because many create backdoor access for hackers.

Related