The situation
As in previous years, 2017 saw significant interest in
cryptocurrencies or crypto-jacking, both the classic Bitcoin
and newer alternatives. Unsurprisingly, with the meteoric rise in
Bitcoin value interest hasn't been limited to investors. In 2017,
the VTRAC | Investigative Response Team has investigated
several cybersecurity incidents involving attackers whose
motivation has been financial gain through cryptocurrency
mining malware.
This variety of malware uses the processing power (e.g. CPU or
graphics card) of the infected system to mine cryptocurrency,
which could then be used like traditional cash to purchase
items or directly exchanged for legal tender. While mining is
a legitimate process in the cryptocurrency lifecycle, using
someone else's system in an unauthorized manner is not.
While Bitcoin is the most widely known cryptocurrency, there
are hundreds of alternative cryptocurrencies sometimes better
suited for mining through malware. This is due to their relative
anonymity or ease of being mined on ordinary systems. In 2017,
we investigated only a few cases of malware mining for Bitcoin
while the majority of cases involved Monero or Zcash.
In one such “non-Bitcoin†case, a customer who had observed
a significant number of alerts originating from their firewalls
called upon us. The firewalls were blocking suspicious outbound
traffic to The Onion Router (Tor) network and in doing so,
triggering alerts. Our customer believed they had the situation
under control because the firewalls were blocking the traffic.
They asked us to determine the cause of the traffic, verify they
had things under control, and verify there were no indications of
data exfiltration or lateral movement in their network.
