Microsoft Report Details Cryptocurrency Mining Malware Epidemic, 644,000 Unique PCs Affected Monthly


It seems that everyone and their uncle is mining cryptocurrency these days. That is a topic in and of itself, but what's disturbing is even if you are not knowingly mining virtual coins, you might still be mining...for someone else. Crypto-jacking has emerged as a form of malware, whereby a website or app sneakily injects a 'miner' onto your device so that a remote attacker can tap into your phone or PC's resources for profit. Microsoft's security team did some digging into the situation and found some interesting trends related to this growing threat.

To be clear, Microsoft is not against the concept of cryptocurrency, or at least that is not how the report is framed. Microsoft says cybercriminals are giving cryptocurrencies a bad name, in part through ransomware that demands payment in the form of a digital currency, typically Bitcoin. Along with the sharp in value of Bitcoin and some other digital coins, "these dynamics are driving cybercriminal activity related to cryptocurrencies and have led to an explosion of cryptocurrency miners," also known as cryptominers or coin miners.

"Coin miners are not inherently malicious. Some individuals and organizations invest in hardware and electric power for legitimate coin mining operations. However, others are looking for alternative sources of computing power; as a result, some coin miners find their way into corporate networks. While not malicious, these coin miners are not wanted in enterprise environments because they eat up precious computing resources," Microsoft states in its blog post..

Coin Mining Malware Graph
Click to Enlarge (Source: Microsoft)

In other cases, coin miners are in fact used maliciously. Cybercriminals repackage or modify existing coin mining software and use social engineering, dropper malware, or exploits to distribute and install them on the sly. According to Microsoft's data, every month from September 2017 to January 2018 an average of 644,000 unique computers were infected with coin mining software. While not entirely clear, it appears this data does not include smartphones, so the number could potentially be much higher.

"Interestingly, the proliferation of malicious cryptocurrency miners coincides with a decrease in the volume of ransomware. Are these two trends related? Are cybercriminals shifting their focus to cryptocurrency miners as primary source of income? It’s not likely that cybercriminals will completely abandon ransomware operations any time soon, but the increase in trojanized cryptocurrency miners indicates that attackers are definitely exploring the possibilities of this newer method of illicitly earning money," Microsoft added.

Microsoft has also seen a proliferation of legitimate but unauthorized coin miners popping up in corporate networks. In January 2018, enterprise customers who enabled potentially unwanted application (PUA) protection encountered coin miners in more than 1,800 machines, marking a "huge jump" from previous months. Looking ahead, Microsoft expects the number to grow exponentially.

Part of the difficulty in dealing mining software, whether malicious or otherwise unauthorized, is the wide range that exists. In a separate blog post, Microsoft detailed a massive "Dofoil" campaign in which cybercriminals attempted to install malicious cryptocurrency miners on hundreds of thousands of systems through a poisoned peer-to-peer app.

"Immediately upon discovering the attack, we looked into the source of the huge volume of infection attempts. Traditionally, Dofoil (also known as Smoke Loader) is distributed in multiple ways, including spam email and exploit kits. In the outbreak, which began in March 6, a pattern stood out: most of the malicious files were written by a process called mediaget.exe," Microsoft said.

You can read all of the technical details in Microsoft's blog post, but it's another example of what is fast becoming an epidemic. According to Microsoft, it's also a reason to consider Windows 10 S, which exclusively runs curated apps from the Microsoft Store. It's a bit of a weird (and obviously self-serving) conclusion, especially since Windows 10 S is disappearing as a standalone SKU in favor an S Mode baked into other versions of Windows 10.

In any event, be safe out there folks, and pay attention to your device's resource usage. If your PC or smartphone seems to be working harder than usual, you might have a coin miner tucked inside.