With the loss of business due to Covid-19, cryptocurrency has had a resurgence in uptake. Offers of better mining, and group mining from legitimate organizations have seen small business jump on the opportunity to increase revenue through currency mining. Unfortunately, this has also seen an increase in activity for exploits though the mining software.
History to new activity
In the past the threat was confined to crypto hijacking. Sending a malware application to the unsuspecting user, and then installing, unaware to the user, an application that would start mining - commonly called cryptojacking. This prompted increases in malware protection and protection policies, that saw the problem move to more sophisticated means through social engineering and so on.
However, with the increase in unemployed workers and business loss due to covid-19, personal computers started to be assigned to the task of crypto mining to try and get people out of difficult spots. This increase in activity did not go unnoticed, and dark web actors turned their minds to exploiting these new users through their own uptake of mining software. This was great news to the hackers, as they no longer needed to force the malware or exploits as users voluntarily downloaded it through legitimate actors.
Before I explain how it is important to note that the exploit being deployed is known in the core code, and it appears that it has been unfixed as it allows Bitcoin to increased profits, or so some of the actors who exploit the code explain. They claim that they do this to bring awareness as bitcoin is ignoring their statements to them of how it exist and what it does.
So how does it work? Its very simple really, a user engaging in mining, signs up to a group management site and downloads a software mining application so that they can mine cryptocurrency in the group, or cloud pool - a pool they add from the machines they have, or friends and do on (cudominer is one as an example). The installed mining application reports to the sever and starts the mining process for the group based on the parameters and hardware set in the management site. Simple so far, the miner then goes off and starts mining and the user can see the hashes being generated and the approximate bitcoin currency they should earn in the month.
The exploit works in a two fold manner. First it allows the dark web to see your miners IP and add it to the botnet network. An attacker can then inject set of code to exploit your machine to process mining for other users not in your group, but are reported as your group in the form of a fee, which is then record to bitcoin as a legitimate fee. This fee is delivered to the botnet manager application available for purchase on the dark web by the actor setting-up the exploit.
The second issue relates to the code continuing even after closing the application. A user may close the miner, and think, right now I can do something else and leave it be. Unknown to the user, the miner may be turned on remotely by the exploiter and grab bitcoin from your machine/pool, and you will never know as it stays under the radar by not using 100% of the processor, it only becomes noticeable when using another application needing high resources, such as gaming, as it begins to slowdown or periodically freeze. Harder to notice on higher end gaming hardware due to the speed of allocating resources as calculations which appears more as latency than cpu/gpu load. What's worse, is you pay the power bill, they get 100% of the unseen transactions. The management software never sees it occurring, but the bitcoin is calculated to the exploited application and sent to the actor exploiting the flaw which is calculated off through bitcoin as legitimate due to the setup pool design.
The software is successful because you, the installer, have approved it to bypass your defenses (Windows defender etc) at install as it reports legitimately as a signed MS application from a legitimate company who is also likely to be unaware of the exploit as it is part of the core code working as intended.
We actively tested the issue above after discovering websites on the dark web that advertised the exploits for use.
In our tests we saw as follows:
1 Active exploit to a large pool of devices that allowed for the collection of 2.5 bitcoin, undermining the value of bitcoin currency.
2 Active exploit of the miner application in Windows 10 that could not be closed in the task manager.
3 On reboot, the exploited miners became active again, meaning the miner code had been lodged into the startup code of the OS.
We also express additional concerns arise as to weather this exploit could be used for other malicious purposes?
We notified cudominer of our discovery, with no response, and we have confirmed that the calculations are short the sums we calculated for load and mining allocation compared to the reported sum in cudominer manager.
1. Reconfigure your miners default setting manually by disconnecting from the pools default, and disable startup. Check the miner manager is disabled in your startup tab under task manager. Then uninstall the software and check to confirm that the antimalware settings have been removed. Reboot and test again.
2. Reset of the antimalware back to default is also recommended, it is easier to re approve apps than have the exploit active.
If you must run
If you must run the code, and we understand why you might need too, place the code on a computer that only operates this code, and make sure it is firewalled from your main network. When you have finished the mining for the period you allocated, physically shutdown and turn off the machine until you need it next.
Remember that the code exploit sends money to the botnet for any form of criminal activity, and to date Anon has advised over 100million in bitcoin has been generated to date, so run these miner managers is not recommended until this exploit is fixed.