Archive for the ‘cryptojacking’ Category

Hardware-based threat defense against increasingly complex cryptojackers

Even with the dip in the value of cryptocurrencies in the past few months, cryptojackers – trojanized coin miners that attackers distribute to use compromised devices’ computing power for their objectives – continue to be widespread. In the past several months, Microsoft Defender Antivirus detected cryptojackers on hundreds of thousands of devices every month. These threats also continue to evolve: recent cryptojackers have become stealthier, leveraging living-off-the-land binaries (LOLBins) to evade detection.

Column chart representing number of devices where Microsoft Defender Antivirus detected cryptojackers seen monthly from January to July 2022.
Figure 1. Chart showing number of devices on which Microsoft Defender Antivirus detected cryptojackers from January to July 2022.

To provide advanced protection against these increasingly complex and evasive threats, Microsoft Defender Antivirus uses various sensors and detection technologies, including its integration with Intel® Threat Detection Technology (TDT), which applies machine learning to low-level CPU telemetry to detect threats even when the malware is obfuscated and can evade security tools.

Using this silicon-based threat detection, Defender analyzes signals from the CPU performance monitoring unit (PMU) to detect malware code execution “fingerprint” at run time and gain unique insights into malware at their final execution point, the CPU. The combined actions of monitoring at the hardware level, analyzing patterns of CPU usage, and using threat intelligence and machine learning at the software level enable the technology to defend against cryptojacking effectively.

In this blog post, we share details from our monitoring and observation of cryptojackers and how the integration of Intel TDT and Microsoft Defender Antivirus detects and blocks this complex threat.

Looking at the current cryptojacker landscape

There are many ways to force a device to mine cryptocurrency without a user’s knowledge or consent. The three most common approaches used by cryptojackers are the following:

  • Executable: These are typically potentially unwanted applications (PUAs) or malicious executable files placed on the devices and designed to use system resources to mine cryptocurrencies.
  • Browser-based: These miners are typically in the form of JavaScript (or similar technology) and perform their function in a web browser, consuming resources for as long as the browser remains open on the website where they are hosted. These miners are commonly injected into legitimate websites without the owner’s knowledge or consent. In other cases, the miners are intentionally included in attacker-owned or less reputable websites that users might visit.
  • Fileless: These cryptojackers perform mining in a device’s memory and achieve persistence by misusing legitimate tools and LOLBins.

The executable and browser-based approaches involve malicious code that’s present in either the filesystem or website that can be relatively easily detected and blocked. The fileless approach, on the other hand, misuses local system binaries or preinstalled tools to mine using the device’s memory. This approach allows attackers to achieve their goals without relying on specific code or files. Moreover, the fileless approach enables cryptojackers to be delivered silently and evade detection. These make the fileless approach more attractive to attackers.

While newer cryptojackers use the fileless approach, its engagement of the hardware, which it relies on for its mining algorithm, becomes one of the ways to detect cryptojacking activities.

Misuse of LOLBins in recent cryptojacking campaigns

Through its various sensors and advanced detection methodologies, including its integration with Intel TDT, Microsoft Defender Antivirus sees cryptojackers that take advantage of legitimate system binaries on more than 200,000 devices daily.

Column chart showing total number of devices where cryptojackers misusing legitimate system binaries were detected based on daily observation from July 25 to July 31, 2022.
Figure 2. Chart showing the number of devices targeted by cryptojackers that misuse legitimate system binaries observed July 25-31, 2022.

Attackers heavily favor the misuse of notepad.exe among several legitimate system tools in observed campaigns.

Donut pie chart showing percentage of legitimate system binaries commonly abused by cryptojackers based on the observation period of July 25-31, 2022.
Figure 3. The chart shows that notepad.exe is the most abused tool based on the cryptojacking attacks observed from July 25-31, 2022.

We analyzed an interesting cryptojacking campaign abusing notepad.exe and several other binaries to carry out its routines. This campaign used an updated version of the cryptojacker known as Mehcrypt. This new version packs all of its routines into one script and connects to a command-and-control (C2) server in the latter part of its attack chain, a significant update from the old version, which ran a script to access its C2 and download additional components that then perform malicious actions.

The threat arrives as an archive file containing autoit.exe and a heavily obfuscated, randomly named .au3 script. Opening the archive file launches autoit.exe, whichdecodes the .au3 script in memory. Once running, the script further decodes several layers of obfuscation and loads additional decoded scripts in memory.

Attack flow of Mehcrypt abusing legitimate system binaries to carry out its malicious routines.
Figure 4. Infection chain of a new variant of Mehcrypt leveraging several binaries to launch its malicious routines.

The script then copies itself and autoit.exe in a randomly named folder in C:\ProgramData. The script creates a scheduled task to delete the original files and adds autostart registry entries to run the script every time the device starts.

Screenshot of a cryptojacker's created registry entry for persistence.
Figure 5. The malware creates an autostart registry entry to maintain persistence.

After adding persistence mechanisms, the script then loads malicious code into VBC.exe via process hollowing and connects to a C2 server to listen for commands. Based on the C2 response, the script loads its cryptojacking code into notepad.exe, likewise via process hollowing.

At this point, as the threat starts its cryptojacking operation via malicious code injected into notepad.exe, a huge jump in CPU usage can be observed:

Screenshot of CPU utilization showing a spike when the malware began its malicious routines.
Figure 6. CPU usage shows a significant spike and continued maximum utilization as malicious activities are carried out.  

This high CPU usage anomaly is analyzed in real-time by both Intel TDT and Microsoft Defender Antivirus. Based on Intel TDT’s machine learning-based correlation of CPU telemetry and other suspicious activities like process injection into system binaries, Microsoft Defender Antivirus blocks the process execution (Behavior:Win32/CoinMiner.CN!tdt), and Microsoft Defender for Endpoint raises an alert.  

Advanced threat detection technology helps stop cryptojacking activities

To detect evasive cryptojackers, Microsoft Defender Antivirus and Intel TDT work together to monitor and correlate hardware and software threat data. Intel TDT leverages signals from the CPU, analyzing these signals to detect patterns modeled after cryptojacking activity using machine learning. Microsoft Defender Antivirus then uses these signals and applies its threat intelligence and machine learning techniques to identify and block the action at the software level.  

Intel TDT has added several performance improvements and optimizations, such as offloading the machine learning inference to Intel’s integrated graphics processing unit (GPU) to enable continuous monitoring. This capability is available on Intel Core™ processors and Intel vPro® branded platforms from the 6th generation onwards. By design, Microsoft Defender Antivirus leverages these offloading capabilities where applicable.

In addition to industry partnerships, Microsoft’s consistent monitoring of the threat landscape powers the threat intelligence that feeds into products like Microsoft Defender Antivirus and Microsoft Defender for Endpoint, where knowledge is translated to customer protection in real-time.

Suriyaraj Natarajan, Andrea Lelli, Amitrajit Banerjee
Microsoft 365 Defender Research Team

The post Hardware-based threat defense against increasingly complex cryptojackers appeared first on Microsoft Security Blog.

In hot pursuit of ‘cryware’: Defending hot wallets from attacks

May 17th, 2022 No comments

The steep rise in cryptocurrency market capitalization, not surprisingly, mirrors a marked increase in threats and attacks that target or leverage cryptocurrencies. But Microsoft researchers are observing an even more interesting trend: the evolution of related malware and their techniques, and the emergence of a threat type we’re referring to as cryware.

Cryware are information stealers that collect and exfiltrate data directly from non-custodial cryptocurrency wallets, also known as hot wallets. Because hot wallets, unlike custodial wallets, are stored locally on a device and provide easier access to cryptographic keys needed to perform transactions, more and more threats are targeting them.

Cryware signifies a shift in the use of cryptocurrencies in attacks: no longer as a means to an end but the end itself. Before cryware, the role of cryptocurrencies in an attack or the attack stage where they figured varied depending on the attacker’s overall intent. For example, some ransomware campaigns prefer cryptocurrency as a ransom payment. However, that requires the target user to manually do the transfer. Meanwhile, cryptojackers—one of the prevalent cryptocurrency-related malware—do try to mine cryptocurrencies on their own, but such a technique is heavily dependent on the target device’s resources and capabilities.

With cryware, attackers who gain access to hot wallet data can use it to quickly transfer the target’s cryptocurrencies to their own wallets. Unfortunately for the users, such theft is irreversible: blockchain transactions are final even if they were made without a user’s consent or knowledge. In addition, unlike credit cards and other financial transactions, there are currently no available mechanisms that could help reverse fraudulent cryptocurrency transactions or protect users from such.

To find hot wallet data such as private keys, seed phrases, and wallet addresses, attackers could use regular expressions (regexes), given how these typically follow a pattern of words or characters. These patterns are then implemented in cryware, thus automating the process. The attack types and techniques that attempt to steal these wallet data include clipping and switching, memory dumping, phishing, and scams.

As cryptocurrency investing continues to trickle to wider audiences, users should be aware of the different ways attackers attempt to compromise hot wallets. They also need to protect these wallets and their devices using security solutions like Microsoft Defender Antivirus, which detects and blocks cryware and other malicious files, and Microsoft Defender SmartScreen, which blocks access to cryware-related websites. For organizations, data and signals from these solutions also feed into Microsoft 365 Defender, which provides comprehensive and coordinated defense against threats—including those that could be introduced into their networks through user-owned devices or non-work-related applications.

In this blog, we provide details of the different attack surfaces targeting hot wallets. We also offer best practice recommendations that help secure cryptocurrency transactions.

From cryptojackers to cryware: The growth and evolution of cryptocurrency-related malware

The emergence and boom of cryptocurrency allowed existing threats to evolve their techniques to target or abuse cryptocurrency tokens. The threats that currently leverage cryptocurrency include:

  • Cryptojackers. One of the threat types that surfaced and thrived since the introduction of cryptocurrency, cryptojackers are mining malware that hijacks and consumes a target’s device resources for the former’s gain and without the latter’s knowledge or consent. Based on our threat data, we saw millions of cryptojacker encounters in the last year.
  • Ransomware. Some threat actors prefer cryptocurrency for ransom payments because it provides transaction anonymity, thus reducing the chances of being discovered.
  • Password and info stealers. Apart from sign-in credentials, system information, and keystrokes, many info stealers are now adding hot wallet data to the list of information they search for and exfiltrate.
  • ClipBanker trojans. Another type of info stealer, this malware checks the user’s clipboard and steals banking information or other sensitive data a user copies. ClipBanker trojans are also now expanding their monitoring to include cryptocurrency addresses.

The increasing popularity of cryptocurrency has also led to the emergence of cryware like Mars Stealer and RedLine Stealer. These threats aim to steal cryptocurrencies through wallet data theft, clipboard manipulation, phishing and scams, or even misleading smart contracts. For example, RedLine has even been used as a component in larger threat campaigns. The graph below illustrates the increasing trend in unique cryware file encounters Microsoft Defender for Endpoint has detected in the last year alone.

Bar chart illustrating the distribution of cryware family detections from January to December 2021.
Figure 1. Microsoft Defender for Endpoint cryware encounters for 2021

Cryware could cause severe financial impact because transactions can’t be changed once they’re added to the blockchain. As mentioned earlier, there also are currently no support systems that could help recover stolen cryptocurrency funds.

For example, in 2021, a user posted about how they lost USD78,000 worth of Ethereum because they stored their wallet seed phrase in an insecure location. An attacker likely gained access to the target’s device and installed cryware that discovered the sensitive data. Once this data was compromised, the attacker would’ve been able to empty the targeted wallet.

With the growing popularity of cryptocurrency, the impact of cryware threats have become more significant. We’ve already observed campaigns that previously deployed ransomware now using cryware to steal cryptocurrency funds directly from a targeted device. While not all devices have hot wallets installed on them—especially in enterprise networks—we expect this to change as more companies transition or move part of their assets to the cryptocurrency space. Users and organizations must therefore learn how to protect their hot wallets to ensure their cryptocurrencies don’t end up in someone else’s pockets.

Hot wallet attack surfaces

To better protect their hot wallets, users must first understand the different attack surfaces that cryware and related threats commonly take advantage of.

Hot wallet data

During the creation of a new hot wallet, the user is given the following wallet data:

  • Private key. The key that’s required to access the hot wallet, sign or authorize transactions, and send cryptocurrencies to other wallet addresses.
  • Seed phrase. A mnemonic phrase is a human-readable representation of the private key. It’s another form of a private key that’s easier to remember. Bitcoin Improvement Proposal: 39 (BIP39) is currently the most common standard used to generate seed phrases consisting of 12-14 words (from a predefined list of 2,048).
  • Public key. The public address of the wallet that users must enter as the destination address when sending funds to other wallets.
  • Wallet password (optional). A standard user account password that some wallet applications offer as an additional protection layer.
Screenshots of a wallet app's UI screens where users can create a password and a secret recovery phrase.
Figure 2. Sample wallet creation in a popular wallet app

Attackers try to identify and exfiltrate sensitive wallet data from a target device because once they have located the private key or seed phrase, they could create a new transaction and send the funds from inside the target’s wallet to an address they own. This transaction is then published to the blockchain of the cryptocurrency of the funds contained in the wallet. Once this action is completed, the target won’t be able to retrieve their funds as blockchains are immutable (unchangeable) by definition.

To locate and identify sensitive wallet data, attackers could use regexes, which are strings of characters and symbols that can be written to match certain text patterns. The following table demonstrates how regexes can be used to match wallet string patterns:

Wallet target String description String example Regular expression
Private key Identify a string of characters that comprise an example private key. This key would consist of exactly 256 bits (32 characters) in an unspaced, capitalized, hexadecimal string located on one line. A6FDF18E86000542388064492B58CBF  ^[A-F0-9]{32}$
Seed phrase Identify a string of characters that comprise a seed phrase consisting of 12 words separated by a single space located on one line. this is a long string of text consisting of twelve random words  ^(\w+\s){11}\w+$
Wallet address Identify a string of characters that comprise an example public wallet address. This address would consist of exactly 24 characters in an unspaced, hexadecimal string preceded by the literal letters “LB”. LB32b787573F5186C696b8ed61 ^LB[a-fA-F0-9]{24}$
Table 1. Regular expressions to detect example wallet data

Cryware attack scenarios and examples

Once sensitive wallet data has been identified, attackers could use various techniques to obtain them or use them to their advantage. Below are some examples of the different cryware attack scenarios we’ve observed.

Clipping and switching

Diagram with icons and arrows illustrating how clipping and switching works.
Figure 3. Clipping and switching overview

In clipping and switching, a cryware monitors the contents of a user’s clipboard and uses string search patterns to look for and identify a string resembling a hot wallet address. If the target user pastes or uses CTRL + V into an application window, the cryware replaces the object in the clipboard with the attacker’s address.

Figure 4, which is a code based on an actual clipper malware we’ve seen in the wild, demonstrates the simplest form of this attack. This code uses regexes to monitor for copied wallet addresses and then swaps the value to be pasted.

Code snippet that allows a malware to replace copied data with a different value.
Figure 4. Example code to replace the clipboard using regular expressions to identify wallet’s address pattern

While this technique is not new and has been used in the past by info stealers, we’ve observed its increasing prevalence. The technique’s stealthy nature, combined with the length and complexity of wallet addresses, makes it highly possible for users to overlook that the address they pasted does not match the one they originally copied.

Memory dumping

Another technique is memory dumping, which takes advantage of the fact that some user interactions with their hot wallet could display the private keys in plaintext. This critical information might remain in the memory of a browser process performing these actions, thus compromising the wallet’s integrity. Such a scenario also allows an attacker to dump the browser process and obtain the private key.

The screenshot below illustrates such an example. When a private key was exported through a web wallet application, the private key remained available in plaintext inside the process memory while the browser remained running.

Screenshot of a browser process memory dump with a redacted hot wallet private key displayed in plaintext.
Figure 5. A hot wallet private key visible inside the browser process memory

Wallet file theft

While more sophisticated cryware threats use regular expressions, clipboard tampering, and process dumping, a simple but effective way to steal hot wallet data is to target the wallet application’s storage files. In this scenario, an attacker traverses the target user’s filesystem, determines which wallet apps are installed, and then exfiltrates a predefined list of wallet files.

Target files and information include the following:

  • Web wallet files. Some hot wallets are installed as browser extensions with a unique namespace identifier to name the extension storage folder. A web wallet’s local vault contains the encrypted private key of a user’s wallet and can be found inside this browser app storage folder. Attackers target this vault as it can be brute-forced by many popular tools, such as Hashcat.
    • Example targeted MetaMask vault folder in some web browsers: “Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn”
  • Desktop wallet files. Other hot wallets are installed on a user’s desktop device. The private keys are encrypted and stored locally in application storage files specific to each wallet. Attackers could determine which desktop wallet is installed on a target device when stealing information from it. As with the web wallet vaults, wallet storage files containing encrypted private keys provide an excellent opportunity for brute-force attacks.
    • Example targeted Exodus storage files: “Exodus\passphrase.json”, “Exodus\seed.seco”
  • Wallet passwords. Some wallet applications require passwords as an additional authentication factor when signing into a wallet. Some users store these passwords and seed phrases or private keys inside password manager applications or even as autofill data in browsers. Attackers could traverse an affected device to discover any password managers installed locally or exfiltrate any browser data that could potentially contain stored passwords.
    • Example targeted browser data: “\Cookies\”, “\Autofill\”

Mars Stealer is a notable cryware that steals data from web wallets, desktop wallets, password managers, and browser files. The snippet below was taken from a section of Mars Stealer code aimed to locate wallets installed on a system and steal their sensitive files:

Screenshot of a code snippet of Mars Stealer.
Figure 6. Mars Stealer code snippet that locates sensitive hot wallet data

Mars Stealer is available for sale on hacking forums, as seen in an example post below. The post describes the cryware’s capabilities of stealing sensitive data from multiple wallets and app storage files from an affected device. Mars Stealer then bundles the stolen data and exfiltrates it to an attacker-controlled command-and-control (C2) server via HTTP POST.

Screenshot of a forum post titled "Mars Stealer is a native, non-resident stiller (sic) with the functionality of a loader and a graber (sic)"
Figure 7. An ad for Mars Stealer for sale in an underground forum


Keylogging is another popular technique used by cryware. Like other information-stealing malware that use this technique, keylogging cryware typically runs in the background of an affected device and logs keystrokes entered by the user. It then sends the data it collects to an attacker controlled C2 server.

For attackers, keyloggers have the following advantages:

  • No need for brute forcing. Private keys, seed phrases, and other sensitive typed data can be stolen in plaintext.
  • Difficult to detect. Keyloggers can run undetected in the background of an affected device, as they generally leave few indicators apart from their processes.
  • Stolen data can live in memory. Attackers don’t have to write stolen user data to disk. Instead, they can store the data in process memory before uploading it to the server.

Even users who store their private keys on pieces of paper are vulnerable to keyloggers. Copying and pasting sensitive data also don’t solve this problem, as some keyloggers also include screen capturing capabilities.

Phishing sites and fake applications

To fool users into entering their private keys, attackers create malicious applications that spoof legitimate hot wallets. Unfortunately, determining which app is malicious or legitimate can be challenging because importing an existing wallet does require the input of a private key.

Since a user needs to go to a hot wallet website to download the wallet app installer, attackers could use one of the two kinds of methods to trick users into downloading malicious apps or giving up their private keys:

  • Typosquatting: Attackers purchase domains that contain commonly mistyped characters.
  • Soundsquatting: Attackers purchase domains with names that sound like legitimate websites.

The screenshot below shows a spoofed MetaMask website. While the domain contains the word “MetaMask,” it has an additional one (“suspend”) at the beginning that users might not notice. This could easily trick a user into entering their private keys to supposedly import their existing wallet, leading to the theft of their funds instead.

Screenshot of a web browser window displaying a phishing website's "Import Wallet" page.
Figure 8. Screenshot of a MetaMask phishing website

Phishing websites may even land at the top of search engine results as sponsored ads. In February 2022, we observed such ads for spoofed websites of the cryptocurrency platform StrongBlock. The topmost fake website’s domain appeared as “strongsblock” (with an additional “s”) and had been related to phishing scams attempting to steal private keys. Note that these ads no longer appear in the search results as of this writing. It’s common practice for internet search engines (such as Google and Edge) to regularly review and remove ad results that are found to be possible phishing attempts.

Screenshot of search results related to "strongblock". The three sponsored ads at the top of the page are phishing websites and are highlighted with red boxes. The result that points to the legitimate website is highlighted with a blue box.
Figure 9. Sponsored ads for phishing websites (highlighted in red boxes from a screenshot taken on February 11, 2022) being pushed on top of browser search results, which can trick users into clicking them

Some spoofed wallet websites also host fake wallet apps that trick users into installing them. Figure 10 shows an example of a fake wallet app that even mimics the icon of the legitimate one. Like phishing websites, the fake apps’ goal is to trick users into providing sensitive wallet data.

Screenshots of a smartphone's home screen with icons and the loading page of the fake wallet app.
Figure 10. Fake wallet application installed on an Android device. While its icon has the same color of the brand mascot as the legitimate app (left), its loading page displays a different mascot color instead (right).

Apart from credential-based phishing tactics in websites and apps, Microsoft security researchers also noted a technique called “ice phishing,” which doesn’t involve stealing keys. Rather, it attempts to trick users into signing a transaction that delegates approval of the target user’s tokens to an attacker. More information about ice phishing can be found in this blog.

Scams and other social engineering tactics

Cryptocurrency-related scams typically attempt to lure victims into sending funds of their own volition. One such scam we’ve seen uses prominent social media personalities who seemingly endorse a particular platform. The scammers promise to “donate” funds to participants who send coins to a listed wallet address. Unfortunately, these promises are never fulfilled.

Screen capture of an online video promoting a website and QR codes (redacted) that point to Bitcoin and Ethereum wallets.
Figure 11. Prominent social media personalities inserted in scam-related promotional videos

Social media content creators are also becoming the targets of scam emails. The email messages attempt to trick targets into downloading and executing cryware on their devices by purporting promotional offers and partnership contracts.

Screenshot of an email message about "Promotional offer and partnerships".
Figure 12. Legitimate looking scam email prompting the user to download and execute a malicious file

In such cases, the downloaded or attached cryware masquerades as a document or a video file using a double extension (for example, .txt.exe) and a spoofed icon. Thus, target users who might be distracted by the message content might also forget to check if the downloaded file is malicious or not.

Partial screenshot of Windows Explorer showing a document file "contract.doc". The Command Prompt screenshot beside the first one shows the file actually has a hidden .scr extension.
Figure 13. Executable screensaver (.scr) file masquerading as a Word document (.doc) file

Defending against cryware

Cryptocurrency crime has been reported to have reached an all-time high in 2021, with over USD10 billion worth of cryptocurrencies stored in wallets associated with ransomware and cryptocurrency theft. This shows that just as large cryptocurrency-related entities get attacked, individual consumers and investors are not spared.  

Cryptocurrency trading can be an exciting and beneficial practice, but given the various attack surfaces cryware threats leverage, users and organizations must note the multiple ways they can protect themselves and their wallets. They should have a security solution that provides multiple layers of dynamic protection technologies—including machine learning-based protection.

Microsoft Defender Antivirus offers such protection. Its endpoint protection capabilities detect and block many cryware, cryptojackers, and other cryptocurrency-related threats. Meanwhile, Microsoft Defender SmartScreen in Microsoft Edge and other web browsers that support it blocks phishing sites and prevents downloading of fake apps and other malware. Signals from these solutions, along with threat data from other domains, feed into Microsoft 365 Defender, which provides organizations with comprehensive and coordinated threat defense and is backed by a global network of security experts who monitor the continuously evolving threat landscape for new and emerging attacker tools and techniques.

Users and organizations can also take the following steps to defend against cryware and other hot wallet attacks:

  • Lock hot wallets when not actively trading. This feature in most wallet applications can prevent attackers from creating transactions without the user’s knowledge.
  • Disconnect sites connected to the wallet. When a user isn’t actively doing a transaction on a decentralized finance (DeFi) platform, a hot wallet’s disconnect feature ensures that the website or app won’t interact with the user’s wallet without their knowledge.
Screenshot of a wallet app's UI with "Connected sites" option highlighted.
Figure 14. Some wallet apps allow users to disconnect from sites that they interacted with
  • Refrain from storing private keys in plaintext. Never store seed phrases on the device or cloud storage services. Instead, write them down on paper (or something equivalent) and properly secure them.
  • Be attentive when copying and pasting information. When copying a wallet address for a transaction, double-check if the value of the address is indeed the one indicated on the wallet.
  • Ensure that browser sessions are terminated after every transaction. To minimize the risk of cryware process dumpers, properly close or restart the browser’s processesafterimporting keys. This ensures that the private key doesn’t remain in the browser process’s memory.
  • Consider using wallets that implement multifactor authentication (MFA). This prevents attackers from logging into wallet applications without another layer of authentication.
  • Be wary of links to wallet websites and applications. Phishing websites often make substantial efforts to appear legitimate, so users must be careful when clicking links in emails and messaging apps. Consider manually typing or searching for the website instead and ensure that their domains are typed correctly to avoid phishing sites that leverage typosquatting and soundsquatting.
  • Double-check hot wallet transactions and approvals. Ensure that the contract that needs approval is indeed the one initiated.
  • Never share private keys or seed phrases. Under no circumstances will a third party or even the wallet app developers need these types of sensitive information.
  • Use a hardware wallet unless it needs to be actively connected to a device. Hardware wallets store private keys offline.
  • Reveal file extensions of downloaded and saved files. On Windows,turn on File Name Extensions under View on file explorer to see the actual extensions of the files on a device.

Learn how you can stop attacks through automated, cross-domain security with Microsoft 365 Defender.

Berman Enconado and Laurie Kirk
Microsoft 365 Defender Research Team


Microsoft 365 Defender detections

Microsoft Defender Antivirus

The post In hot pursuit of ‘cryware’: Defending hot wallets from attacks appeared first on Microsoft Security Blog.

Invisible resource thieves: The increasing threat of cryptocurrency miners

The surge in Bitcoin prices has driven widescale interest in cryptocurrencies. While the future of digital currencies is uncertain, they are shaking up the cybersecurity landscape as they continue to influence the intent and nature of attacks.

Cybercriminals gave cryptocurrencies a bad name when ransomware started instructing victims to pay ransom in the form of digital currencies, most notably Bitcoin, the first and most popular of these currencies. It was not an unexpected move digital currencies provide the anonymity that cybercriminals desire. The sharp increase in the value of digital currencies is a windfall for cybercriminals who have successfully extorted Bitcoins from ransomware victims.

These dynamics are driving cybercriminal activity related to cryptocurrencies and have led to an explosion of cryptocurrency miners (also called cryptominers or coin miners) in various forms. Mining is the process of running complex mathematical calculations necessary to maintain the blockchain ledger. This process rewards coins but requires significant computing resources.

Coin miners are not inherently malicious. Some individuals and organizations invest in hardware and electric power for legitimate coin mining operations. However, others are looking for alternative sources of computing power; as a result, some coin miners find their way into corporate networks. While not malicious, these coin miners are not wanted in enterprise environments because they eat up precious computing resources.

As expected, cybercriminals see an opportunity to make money and they customize coin miners for malicious intents. Crooks then run malware campaigns that distribute, install, and run the trojanized miners at the expense of other peoples computing resources. On March 6, Windows Defender Advanced Threat Protection (Windows Defender ATP) blocked a massive coin mining campaign from the operators of Dofoil (also known as Smoke Loader).

In enterprise environments, Windows Defender ATP provides the next-gen security features, behavioral analysis, and cloud-powered machine learning to help protect against the increasing threats of coin miners: Trojanized miners, mining scripts hosted in websites, and even legitimate but unauthorized coin mining applications.

Coin mining malware

Cybercriminals repackage or modify existing miners and then use social engineering, dropper malware, or exploits to distribute and install the trojanized cryptocurrency miners on target computers. Every month from September 2017 to January 2018, an average of 644,000 unique computers encountered coin mining malware.

Figure 1. Volume of unique computers that encountered trojanized coin miners

Interestingly, the proliferation of malicious cryptocurrency miners coincide with a decrease in the volume of ransomware. Are these two trends related? Are cybercriminals shifting their focus to cryptocurrency miners as primary source of income? Its not likely that cybercriminals will completely abandon ransomware operations any time soon, but the increase in trojanized cryptocurrency miners indicates that attackers are definitely exploring the possibilities of this newer method of illicitly earning money.

We have seen a wide range of malicious cryptocurrency miners, some of them incorporating more sophisticated mechanisms to infect targets, including the use of exploits or self-distributing malware. We have also observed that established malware families long associated with certain modus operandi, such as banking trojans, have started to include coin mining routines in recent variants. These developments indicate widespread cybercriminal interest in coin mining, with various attackers and cybercriminal groups launching attacks.

Infection vectors

The downward trend in ransomware encounters may be due to an observed shift in the payload of one of its primary infection vectors: exploit kits. Even though there has been a continuous decrease in the volume of exploit kit activity since 2016, these kits, which are available as a service in cybercriminal underground markets, are now also being used to distribute coin miners. Before ransomware, exploit kits were known to deploy banking trojans.

DDE exploits, which have also been known to distribute ransomware, are now delivering miners. For example, a sample of the malware detected as Trojan:Win32/Coinminer (SHA-256: 7213cbbb1a634d780f9bb861418eb262f58954e6e5dca09ca50c1e1324451293) is installed by Exploit:O97M/DDEDownloader.PA, a Word document that contains the DDE exploit. The exploit launches a cmdlet that executes a malicious PowerShell script (Trojan:PowerShell/Maponeir.A), which then downloads the trojanized miner: a modified version of the miner XMRig, which mines Monero cryptocurrency.

Other miners use reliable social engineering tactics to infect machines. Cybercriminals have been distributing a file called flashupdate, masquerading the file as the Flash Player. The download link itselfseen in spam campaigns and malicious websitesalso uses the string flashplayer. Detected as Trojan:Win32/Coinminer, this trojanized coin miner (SHA-256 abbf959ac30d23cf2882ec223966b0b8c30ae85415ccfc41a5924b29cd6bd4db) likewise uses a modified version of the XMRig miner.

Persistence mechanisms

For cryptocurrency miners, persistence is a key element. The longer they stay memory-resident and undetected, the longer they can mine using stolen computer resources. While more traditional persistence mechanisms like scheduled tasks and autostart registry entries are common, cybercriminals can also use more advanced methods like code injection and other fileless techniques, which can allow them to evade detection.

One example of coin mining malware that uses code injection is a miner detected as Trojan:Win32/CoinMiner.BW!bit (SHA-256: f9c67313230bfc45ba8ffe5e6abeb8b7dc2eddc99c9cebc111fcd7c50d11dc80), which spawns an instance of notepad.exe and then injects its code. Once in memory, it uses some binaries related to legitimate cryptocurrency miners but runs them using specific parameters so that coins are sent to the attackers wallet.

We also came across a malicious PowerShell script, detected as TrojanDownloader:PowerShell/CoinMiner (SHA-256: 5d7e0fcf45004a7a4e27dd42c131bcebfea04f14540bd0f17635505b42a96d6e), that downloads mining code that it executes using its own parameters. It adds a scheduled task so that it runs every time the computer starts.

Spreading capabilities and other behaviors

Some coin miners have other capabilities. For example, a miner detected as Worm:Win32/NeksMiner.A (SHA-256: 80f098ac43f17dbd0f7bb6bad719cc204ef76015cbcdae7b28227c4471d99238) drops a copy in the root folder of all available drives, including mapped network drives and removable drives, allowing it to spread as these drives are accessed using other computers. It then runs legitimate cryptocurrency miners but using its own parameters.

As trojanized cryptocurrency miners continue evolving to become the monetization tool of choice for cybercriminals, we can expect the miners to incorporate more behaviors from established threat types.

Browser-based coin miners (cryptojacking)

Coin mining scripts hosted on websites introduced a new class of browser-based threats a few years ago. The increased interest in cryptocurrencies has intensified this trend. When the said websites are accessed, the malicious scripts mine coins using the visiting devices computing power. While some websites claim legitimacy by prompting the visitor to allow the coin mining script to run, others are more dubious.

Some of these websites, usually video streaming sites, appear to have been set up by cybercriminals specifically for coin mining purposes. Others have been compromised and injected with the offending scripts. One such coin miner is hidden in multiple layers of iframes.

Figure 2. A sample coin mining script hidden in multiple layers of iframes in compromised websites

We have also seen have seen tech support scam websites that double as coin miners. Tech support scam websites employ techniques that can make it difficult to close the browser. Meanwhile, a coin mining script runs in the background and uses computer resources.

Figure 3. A sample tech support scam website with a coin mining script

Unauthorized use of legitimate coin miners

On top of malware and malicious websites, enterprises face the threat of another form of cryptocurrency miners: legitimate but unauthorized miners that employees and other parties sneak in to take advantage of sizable processing power in enterprise environments.

While the presence of these miners in corporate networks dont necessarily indicate a bigger attack, they are becoming a corporate issue because they consume precious computing resources that are meant for critical business processes. Miners in corporate networks also result in additional energy consumption, leading to unnecessary costs. Unlike their trojanized counterparts, which arrive through known infection methods, non-malicious but unauthorized cryptocurrency miners might be trickier to detect and block.

In January 2018, Windows enterprise customers who have enabled the potentially unwanted application (PUA) protection feature encountered coin miners in more than 1,800 enterprise machines, a huge jump from the months prior. We expect this number to grow exponentially as we heighten our crackdown on these unwanted applications.

Figure 4. Volume of unique computers in enterprise environments with PUA protection enabled that encountered unauthorized coin miners

While non-malicious, miners classified as potentially unwanted applications (PUA) are typically unauthorized for use in enterprise environments because they can adversely affect computer performance and responsiveness. In contrast, trojanized miners are classified as malware; as such, they are automatically detected and blocked by Microsoft security products. Potentially unwanted applications are further differentiated from unwanted software, which are also considered malicious because they alter your Windows experience without your consent or control.

Apart from coin mining programs, potentially unwanted applications include:

  • Programs that install other unrelated programs during installation, especially if those other programs are also potentially unwanted applications
  • Programs that hijack web browsing experience by injecting ads to pages
  • Driver and registry optimizers that detect issues, request payment to fix the errors, and remain on the computer
  • Programs that run in the background and are used for market research

PUA protection is enabled by default in System Center Configuration Manager. Security administrators can also enable and configure the PUA protection feature using PowerShell cmdlets or Microsoft Intune.

Windows Defender AV blocks potentially unwanted applications when a user attempts to download or install the application and if the program file meets one of several conditions. Potentially unwanted applications that are blocked appear in the quarantine list in the Windows Defender Security Center app.

In September 2017, around 2% of potentially unwanted applications blocked by Windows Defender AV are coin miners. This figure has increased to around 6% in January 2018, another indication of the increase of these unwanted applications in corporate networks.

Figure 5. Breakdown of potentially unwanted applications

Protecting corporate networks from cryptocurrency miners

Windows 10 Enterprise customers benefit from Windows Defender Advanced Threat Protection, a wide and robust set of security features and capabilities that help prevent coin minters and other malware.

Windows Defender AV uses multiple layers of protection to detect new and emerging threats. Non-malicious but unauthorized miners can be blocked using the PUA protection feature in Windows Defender AV. Enterprises can also use Windows Defender Application Control to set code integrity policies that prevent employees from installing malicious and unauthorized applications.

Trojanized cryptocurrency miners are blocked by the same machine learning technologies, behavior-based detection algorithms, generics, and heuristics that allow Window Defender AV to detect most malware at first sight and even stop malware outbreaks, such as the massive Dofoil coin miner campaign. By leveraging Antimalware Scan Interface (AMSI), which provides the capability to inspect script malware even with multiple layers of obfuscation, Windows Defender AV can also detect script-based coin miners.

Coin mining malware with more sophisticated behaviors or arrival methods like DDE exploit and malicious scripts launched from email or Office apps can be mitigated using Windows Defender Exploit Guard, particularly its Attack surface reduction and Exploit protection features.

Malicious websites that host coin miners, such as tech support scam pages with mining scripts, can be blocked by Microsoft Edge using Windows Defender SmartScreen and Windows Defender AV.

Corporate networks face the threat of both non-malicious and trojanized cryptocurrency miners. Windows 10 S, a special configuration of Windows 10, can help prevent threats like coin miners and other malware by working exclusively with apps from the Microsoft Store and by using Microsoft Edge as the default browser, providing Microsoft-verified security.

Security operations personnel can use the advanced behavioral and machine learning detection libraries in Windows Defender Endpoint Detection and Response (Windows Defender EDR) to detect coin mining activity and other anomalies in the network.

Figure 6. Windows Defender EDR detection for coin mining malware

Windows Defender EDR integrates detections from Windows Defender AV, Windows Defender Exploit Guard, and other Microsoft security products, providing seamless security management that can allow security operations personnel to centrally detect and respond to cryptocurrency miners and other threats in the network.


Alden Pornasdoro, Michael Johnson, and Eric Avena
Windows Defender Research



Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.