Cryptojacking On The Rise: WebCobra Malware Uses Victims' Computers To Mine Cryptocurrency
The rise of cryptocurrency has resulted in a number of concerns. Yet while regulations and cryptocurrency hacks seem to be the primary worries, a new threat known as “cryptojacking” has entered the picture.
Cryptojacking is an illegal process in which hackers hijack a users computing power to mine for cryptocurrencies, like Bitcoin and Monero. Funds are then sent to the hacker in control of the software.
Computers infected with cryptojacking malware run much slower, and often victims are not even aware that their computers are being attacked, as “coin mining” malware is difficult to detect. Once a machine is compromised, a malicious app runs silently in the background with just one sign: performance degradation. As the malware increases power consumption, the machine slows down, leaving the owner with an unwelcome bill, as the energy it takes to mine a single bitcoin can cost anywhere from $531 to $26,170.
And while cryptojacking is a relatively new threat, a recent report from the Cyber Threat Alliance (CTA) indicates a massive 459% increase in the rate of illegal cryptojacking this year. According to a report from McAfee Labs released in September, after growing around 400,000 in the fourth quarter of 2017, new crypto mining malware samples increased by 629% to more than 2.9 million samples in Q1 of 2018. This trend continues in Q2 as total samples grew by 86% with more than 2.5 million new samples detected.
A New Silent Killer: WebCobra
McAfee Labs researchers have now discovered a new Russian cryptojacking malware, known as “WebCobra.” WebCobra infects a victim’s computer by silently dropping and installing the Cryptonight miner or Claymore's Zcash miner, depending on the architecture WebCobra finds. McAfee researchers believe this threat arrives via rogue PUP installers and have observed it across the globe, with the highest number of infections occurring in Brazil, South Africa, and the United States.
While McAfee researchers are not entirely sure how this threat propagates, the WebCobra malware is unique in that it does everything possible to learn about the victim’s system.
What is particularly interesting about WebCobra is that it learns everything possible about the user’s system, like what kind of architecture they are running, if there is anti-virus technology, etc. This cryptocurrency mining malware is also uncommon in that it drops a different miner depending on the configuration of the machine it infects. For instance, the main dropper is a Microsoft installer that checks the running environment. On x86 systems, it injects Cryptonight miner code into a running process and launches a process monitor. On x64 systems, it checks the GPU configuration and downloads and executes Claymore's Zcash miner from a remote server," Raj Samani, Chief Scientist and McAfee fellow, told me.
After launching, the WebCobra malware drops and unzips a password-protected Cabinet archive file with this command:
WebCobra is a nuisance infection - once you are infected, you don’t even know about it. And if you don’t have updated security software on your computer and it’s running slowly, you might not even know the reason why. With ransomware, there is usually a big splash on the screen telling you your computer has been infected. WebCobra is an infection that silently sits in the background and uses your computing resources," Samani said.
Increasing Cryptocurrency Prices Fuels CryptoJacking
McAfee researchers have also discovered that the rise of cryptojacking, particularly in the case of WebCobra, is tied with the rise of cryptocurrency prices. The increase in the value of cryptocurrencies has inspired cybercriminals to employ malware that steals machine resources to mine crypto-coins without the victims’ consent.
For example, the following chart shows how the prevalence of miner malware follows changes in the price of Monero cryptocurrency:
The growth of cryptojacking is tied closely with the price of cryptocurrencies. As the price of digital currencies increases, people will naturally want to mine more. In the case of the chart above, as the price of Monero goes up, you see the mining malware increase. As the price of Monero, decreases you see the malware respond to that. We are seeing a rise in cryptojacking as digital currencies increase in value," Samani said.
Victims Of Organized Crime
While it may appear that consumers should be most aware of cryptojacking, this form of organized crime is impacting governments and enterprises as well.
Cryptojacking isn’t just a story for the consumer, but also for enterprises. If you are paying for processing power in a cloud environment, then that will have a direct cost as well. Overall, this is just a numbers game. The more systems hackers infect, the more money they can make. If you are running a cryptojacking campaign, then most likely you don’t care where the people and businesses are from. People also need to understand that this isn’t just about your computer getting slower, but actually, this is going to cost you money over the long term. We are talking about organized criminal gangs running these scams, making cryptojacking a form of organized crime that victims are helping fuel," Samani explained.
Recently, researchers found that hackers stole the processing power of several Indian government websites to mine for cryptocurrencies. Citizen portals such as the municipal administration of Andhra Pradesh (AP), Tirupati Municipal Corporation and Macherla municipality are among the hundreds of Indian websites that were found to be infected by cryptojacking malware. Government websites, in particular, are prone to cryptojacking due to high traffic and because people tend to trust these websites.
Moreover, in some cases, cryptojacking targets specific groups, rather than a broad field of potential victims. One cryptojacking malware strain has targeted gamers on a Russian forum by posing as a “mod” claiming to enhance popular games. Gamers were tricked into downloading the malicious software, which proceeded to use their computer resources for profit.
And while crypto mining malware primarily targets PCs, other devices have become victims. For instance, Android phones in China and Korea have been exploited by the ADB.Miner malware into producing Monero cryptocurrency for its perpetrators.
Protecting Yourself From Cryptojacking
Unfortunately, coin mining malware will continue to evolve as cybercriminals take advantage of this relatively easy path to stealing value. Mining coins on other people’s systems require less investment and risk than ransomware and do not depend on a percentage of victims agreeing to send money. Until users learn they are supporting criminal miners, the latter have much to gain.
However, there are steps that can be taken to secure systems from being infected by coin mining malware. According to Samani, systems without any form of security are more prone to hacks.
Good cyber hygiene is a must here. For instance, don’t click on random links and having updated security software is crucial in terms of the known mining software that’s out there. There are other things that can help such as browser add on extensions that can detect abnormal loads in CPU usage. However, the WebCobra virus is surreptitious. Of course, if your computer is running slow it doesn’t mean you have fallen victim to crypto mining, but you need the right technology to identify this problem.”