Cybercriminals Make Millions with Trojan Miners and Cyber Espionage Techniques

Experts from Kaspersky Lab have released a report titled Mining is the New Black, highlighting the growing popularity of mining malware among cybercriminals. According to the researchers, 2.7 million users were targeted by miner attacks in 2017—an increase of nearly 50% compared to 2016 (1.87 million). Victims were often infected through adware, pirated software, and counterfeit games, which criminals use to secretly compromise computers.

Miner Attacks in 2017

The report notes that not only have miner attacks become more widespread, but they have also grown more sophisticated. Some attackers are now using targeted attack techniques, which are more commonly seen in advanced cyber-espionage campaigns or activities of APT (Advanced Persistent Threat) groups. Analysts estimate that in just the last six months of 2017, criminals earned several million dollars through these methods.

Experts believe this trend is due to the declining popularity of ransomware, while mining malware offers similar monetization mechanisms. With ransomware, the malware infects a system, encrypts files, and criminals demand a ransom from the victim. With miners, the malware infects the system and uses the victim’s CPU or GPU power to mine cryptocurrency, generating profit for the attackers. Ultimately, the criminals simply use an exchange service to convert the cryptocurrency into real money.

Monetization Scheme

“Ransomware is fading into the background, giving way to miners. Our statistics confirm this, as does the fact that cybercriminal groups are actively refining and improving their methods. They are now using advanced infection techniques to spread malware. We’ve seen similar trends before—ransomware hackers used comparable tricks during their peak,” says Anton Ivanov, lead antivirus expert at Kaspersky Lab.

Analysts describe these sophisticated attacks as follows: Victims are tricked into downloading and installing adware that contains a hidden miner. The installer operates like a legitimate Windows utility (msiexec), with the main goal of downloading the miner from a remote server. Once the program starts, a legitimate process is launched, but its code is replaced with malicious code. As a result, the trojan runs under the guise of a legitimate process, making it difficult for users to detect the infection. Additionally, it becomes impossible to cancel the task—if the user tries to stop the operation, the system reboots. This allows criminals to maintain a long-term presence on the infected system.

Open Source Miners and Mining Pools

Researchers note that 80% of cybercriminals use legitimate open-source miners and rely on well-known mining pools. The most popular choice among attackers is Nanopool.