Cybercriminals Start Focusing on CPU Mining Tools – Continue to Hijack Machines for Cryptocurrency Mining


With an increasing success and profitability of cryptocurrency, criminals have also started to focus their efforts on abusing the largely untraceable currency. If the last two years are any indication, cybercriminals have tried to attack both sides of the financial world, however, thanks to the inherent privacy that cryptocurrency offers, it is becoming a center of the recent campaigns.

While we reported a number of attacks that focused on cryptocurrency (mostly Ethereum in this wave) earlier this summer, attackers aren't only looking at emptying out online wallets. They are also focusing their efforts on recruiting machines for mining. A latest research report from IBM X-Force that the team shared with Wccftech ahead of its publication reveals that there has been a "steep increase" in the number of mining tools used in cyberattacks. The malware containing cryptocurrency coin-mining tools have apparently started to focus more on the enterprise networks and CPU mining.

NVIDIA GeForce RTX 30 LHR Graphics Cards Crypto Mining Unlocked In Linux Operating System Too

"According to IBM Managed Security Services (MSS) data, there have been peaks reaching more than a sixfold increase in attacks involving embedded mining tools in the eight-month period between January and August 2017."

This follows an earlier report by security researchers at GuardiCore, who had revealed that a botnet made up of compromised Windows Server machines was being used for ransomware, data exfiltration, and mining Monero cryptocurrency.

One coin miner tool to rule all the cryptocurrencies?

In the latest research, IBM X-Force said that they spotted the same mining tool used by attackers that had the capability to mine several different coins. Hidden within fake image files, hosted on compromised web servers running Joomla or WordPress, or stored on compromised JBoss Application Servers, the attackers tried to mine several different currencies, including Monero (XMR).

The victim - mostly from a set of targeted industries - would need to visit the compromised page for the attack to be launched. They could also be attacked using malicious email attachments or links.

"Command injection (CMDi) attacks, detected by IBM Security’s managed intrusion detection and prevention system (IDPS) service during the attacks were trying to plant the malicious images on victims’ machines using WGET and CURL shell commands when victims simply visited the page via a link in an email or through visiting a compromised site," the security researchers wrote.

IBM researchers noted two possible scenarios of how the attack was launched:

Hundreds of NVIDIA’s Workstation-Aimed Quadro RTX A4000 Cards Ending Up In Crypto Mining Rigs

  • The attackers scanned for already compromised CMS and then conducted the CMDi (Command injection) attack.
  • Cybercriminals performed both the initial compromise of the web resource and the subsequent CMDi attack.

Focus on a few industries

While it is unclear why the attackers have focused on a few industries, the research reveals that manufacturing and financial services were the most targeted, followed by arts and entertainment, information and communication technology, and retail.

In an email to Wccftech, IBM's security researchers noted that these "percentages indicate attacks on users in those industries, not necessarily the websites owned by those industries." They added that "in this particular case, we're measuring attempted attacks that could have been delivered by phishing emails, watering hole attacks, or simply visiting a compromised site that was previously trusted."

Why CPU coin miner?

Cryptocurrency mining has affected both the pricing and availability of GPUs. While GPUs have large numbers of arithmetic logic units (ALUs) compared to CPUs that allows them to do large amounts of bulky mathematical labor in a greater quantity than CPUs, it may not always be the best choice for an attacker.

Researchers believe that attackers get a larger playing field with more endpoints to enslave when compared to "optional" GPUs. "The CryptoNight mining algorithm employed by CryptoNote-based currency is designed for mining on CPUs and can be efficiently tasked to billions of existing devices (any modern x86 CPU)," the researchers added. They further said that a capability known as smart mining allows CPU mining on the user’s computer "without centralization of mining farms and pool mining."

If you are wondering what currencies attackers are mining, the list includes mostly CryptoNote-based virtual currencies, including:

  • ByteCoin (BCN)
  • Boolberry (BBR)
  • Dashcoin (DSH)
  • DigitalNote (XDN)
  • DarkNetCoin (DNC)
  • Fantomcoin (FCN)
  • Monero (XMR)
  • Pebblecoin (XPB)
  • Quazarcoin (QCN)
  • Anonymous Electronic On-line Coin (AEON)

"Our findings did show the potential for Monero to be slightly more profitable than mining for the more popular bitcoin (BTC), for example, making it perhaps more attractive to attackers," researchers noted. "This may be the reason for the jump in volume of attacks utilizing this type of mining tool."