Cheap Mining Software Floods Dark Web Forums

Group-IB is reporting new waves of illegal mining (cryptojacking) threats targeting the networks of commercial and government organizations. According to Group-IB Threat Intelligence, the number of ads on underground forums offering mining software for sale or rent has increased fivefold over the past year (H1 2018 compared to H1 2017).

Widespread Availability of Mining Trojans

Group-IB experts highlight the dangerous trend of mining trojans becoming widely accessible. These programs are designed to exploit other people’s devices and infrastructure for unauthorized cryptocurrency mining. Cryptojacking—the use of a computer’s or network’s processing power to mine cryptocurrency without the owner’s consent or knowledge—remains a relatively popular way to make money, even though the number of related incidents is gradually declining.

In the first half of 2018, Group-IB’s Threat Intelligence system recorded 477 ads on hacker forums for the sale or rental of mining software, compared to just 99 during the same period in 2017—a fivefold increase.

Low Entry Barriers and Cheap Software

The growth in mining software offers on Darknet forums, combined with their relatively low prices, is fueling this trend. The minimum price for covert mining programs was just $0.50, with an average cost of $10.

“The low entry barrier to the ‘black market’ of illegal mining means that even people without technical knowledge or experience in fraudulent schemes are getting involved in cryptocurrency mining,” says Rustam Mirkasymov, a cyber intelligence expert at Group-IB. “With easy access to simple tools for covert mining, many don’t see it as a crime—especially since Russian law still leaves enough loopholes to avoid prosecution for such theft. Arrests and court cases for cryptojacking remain rare, even though most methods of installing mining software violate Articles 272 and 273 of the Russian Criminal Code.”

Risks and Threats to Organizations

Any device—computer, smartphone, IoT device, server, etc.—can be used for cryptojacking. This is why detection systems at the workstation level are not enough. New types of mining software that easily bypass signature-based security systems are constantly emerging. The best response to this threat is to detect mining activity at the network level, using behavioral analysis technologies to identify previously unknown programs and tools.

Group-IB experts warn that mining leads not only to direct financial losses from increased electricity costs, but also threatens business continuity by slowing down corporate systems and increasing hardware wear and tear. Infection with a mining trojan can cause corporate applications, networks, and systems to fail. Unauthorized operation of third-party programs without the business owner’s knowledge can result in reputational damage and compliance or regulatory risks.

Comprehensive Protection Against Cryptojacking

To effectively counter cryptojacking, it’s important to detect all forms of malicious code spreading or operating within the network, using a regularly updated threat intelligence database. Suspicious activity should always be analyzed in a secure, isolated environment, ensuring complete confidentiality of data about infected machines, infrastructure segments, and other resources.

Protection should extend beyond the internal network to include detection of cryptomining tools that run JavaScript on compromised websites, aiming to infect as many victims as possible. Another increasingly common type of fraud is the classic insider threat: companies must also be able to defend against dishonest employees seeking to profit from their employer’s resources.