What is illicit cryptomining?

Illicit cryptominer is potentially unwanted or malicious code designed to hijack idle processing power of a targeted device and misuse it to mine cryptocurrency. The mining activity is usually hidden or runs in the background without obtaining consent from the user or admin.

What is illicit cryptomining?

Illicit cryptominer is potentially unwanted or malicious code designed to hijack idle processing power of a targeted device and misuse it to mine cryptocurrency. The mining activity is usually hidden or runs in the background without obtaining consent from the user or admin.

Reading time icon

4 min read

Reading time icon

4 min read

How do illicit cryptominers work?

There are two main types of illicit cryptominers:

1. Binary-based – malicious applications downloaded and installed onto the targeted device with the goal to mine cryptocurrency. ESET security solutions categorize most of these applications as Trojans.

2. Browser-based – malicious JavaScript embedded into a web page or some of its parts/objects, designed to mine cryptocurrency via the browsers of the site’s visitors. This method is dubbed cryptojacking and has become increasingly popular with cybercriminals since mid-2017. ESET detects the majority of cryptojacking scripts as potentially unwanted applications (PUAs).

Warning

Most illicit cryptominers attempt to mine Monero or Ethereum. These cryptocurrencies offer cybercriminals several benefits over the better-known bitcoin: they have a higher level of transaction anonymity and, most importantly, can be mined with regular CPUs and GPUs instead of expensive and specialized hardware. Cryptomining and cryptojacking attacks have been detected on all popular desktop platforms, as well as on Android and iOS.

Cryptominers image

Why should SMB care about illicit cryptominers?

A total of 30% of organizations in the United Kingdom fell victim to a cryptojacking attack in the previous month, a recent survey among 750 IT executives across the UK has found. These statistics document two things:

1. Despite illicit cryptomining posing a threat with seemingly lower severity, organizations should not underestimate the risk it represents. Mining usually hijacks a large portion of hardware’s processing power reducing performance and productivity. The power-intensive process causes additional stress to the hardware components and can damage targeted devices, shortening their lifespans.

2. Cryptominers expose vulnerabilities in an organization’s cybersecurity posture, which can lead to potentially more severe compromises and disruptions. Due to their higher and concentrated performance, business infrastructures and networks are a more valuable target than consumer devices, promising the attacker higher earnings within a shorter timeframe.

Illicit cryptominers image

How to recognize a cryptomining attack?

Cryptomining and cryptojacking are typically associated with extremely high processor activity, which has noticeable side effects. Watch out for the following:

  • Visibly reduced performance and productivity of the infrastructure
  • Unusual energy consumption
  • Suspicious network traffic

On Android devices additional computational load causes:

  • Shorter battery life
  • Noticeably increased device temperature
  • Lower device productivity
  • Physical damage from “bloating” of the battery in worst case scenarios

How to keep your organization protected from cryptominers?

1. Protect their endpoints, servers and other devices with reliable and multilayered security solutions able to detect potentially unwanted (PUA) cryptomining scripts as well as cryptomining Trojans.

2. Implement Intrusion Detection Software (IDS) that helps identify suspicious network patterns and communication potentially tied to illicit cryptomining (infected domains, outgoing connections on typical mining ports such as 3333, 4444 or 8333, signs of persistence, etc.).

3. Increasenetwork visibility by using a remote management console to enforce security policies, monitor system status as well as security of company endpoints and servers.

4. Train all employees (including top management and network administrators) in how to maintain good cyber-hygiene and create and use strong passwords, reinforced with two-factor authentication, increasing the protection of company systems in case passwords are leaked or bruteforced.

Additional measures

5. Follow the principle of least privilege. All users should only have user accounts with as few permissions as possible, that allow them to complete their current tasks. This approach significantly lowers the risk of users and admins being manipulated into opening or installing cryptominers or other malicious software in a device connected to the company network.

6. Use application controls that narrow the software allowed to run to a minimum, preventing the installation of cryptomining malware.

7. Implement a good update and patching policy to significantly lower the chance of an organization being compromised via previously-known vulnerabilities as many advanced cryptominers use known exploits, such as EternalBlue, for their primary distribution.

8. Monitor company systems for excessive power usage or other energy consumption anomalies that might point to unsolicited cryptomining activity.

Prevent cryptomining now

ESET Endpoint Protection Advanced Cloud bundle card

Get effective protection against cryptomining with ESET multilayered endpoint security solutions able to detect potentially unwanted (PUA) cryptomining scripts as well as cryptomining Trojans. Includes Ransomware Shield and LiveGrid® protection via the cloud and network attack protection. Combine ESET’s powerful scanning engine with ESET Cloud Administrator (ECA) and gain detailed network visibility.

Related topics