Cryptojacking Vector of attack more and more popular for Botnets

A new bulletin from the Russian Internet security company Kaspersky Labs, published on November 28, indicates that crypto-extraction malware has become increasingly popular among botnets in 2018.

Furtive mining exploration attacks (also known as cryptojacking) are installed by installing malicious software that uses the processing power of a computer to exploit cryptographic currency without the consent or knowledge of the owner.

According to Kaspersky, after the fall of the upward trend of the cryptographic market in January-February. In 2018, interest in cryptojacking also declined briefly – but it has nonetheless remained a constant and current threat throughout the year.

Number of unique users attacked by minors during the first to third quarter of 2018

Among botnets in particular, during the cryptojacking "boom" of the first quarter of 2018, the share of cryptojacked malware downloaded by botnets reached 4.6% of the total number of files, against 2.9% in the second quarter of 2017. The bulletin extrapolates therefore that botnets are increasing as a means of spreading malware cryptography, cybercriminals increasingly considering that cryptojacking is more favorable than other attack vectors.

Kaspersky thus found that the third quarter of 2018 had seen a decline in the number of DDoS attacks emanating from zombie networks, claiming that "the most likely reason was: […] "Reprofiling" of zombie networks from DDoS attacks to cryptocurrency extraction ":

"[I]f executed correctly, [cryptojacking] may be impossible for the owner of an infected machine to detect […] reprofiling the existing server capacity completely hides its owner in the eyes of the law. Evidence suggests that owners of many well-known zombie networks have shifted their attack vector to the mining sector. For example, the Yoyo Botnet's DDoS activity has dropped significantly, although there is no evidence that it will be dismantled. "

The low "entry threshold" of cybercriminals is another factor behind cryptojacking. Code based on a web browser, such as Coinhive, is an option. There is also a range of "ready-to-use affiliate programs, open mining pools and miners" available to attackers.

The report notes that "time will tell" what will be the impact of the crypto market crash in November on the prevalence of cryptojacking infections.

In mid-November, the cybersecurity research team McAfee Labs discovered a new Russian-made mining malware that uses consumer devices to extract Monero (XMR) and runs almost without a trace.