4.3 XMRig: Cryptomining For Fun and Profit
Cryptomining by botnets has gained popularity in the past two years. Unlike other common malicious activities like DDoS, ransomware attacks, and confidential information theft, cryptomining has some unique characteristics:
1. Predictable earnings. Cryptominers are good at hiding their presence by controlling their CPU usage within 30%–40%. Based on the reference computing power obtained from open-source information6 , we calculate expected daily earnings of a bot as follows:
In the first quarter of 2018 the price of Monero was at a lifetime high of over USD $400/XMR. Thus, each controlled host could bring in at its peak USD 73 cents/day to an attacker.
2. Concealed attacker information. A cryptominer when running, interacts only with a mining pool (a collection of cryptominers being operated as a group). An attacker can conceal his or her network information by using only public mining pools. In addition, owing to the anonymity of Monero, little information about the attacker can be obtained from wallets or transaction records. Therefore, in a cryptomining event, the defender typically knows only which hosts are mining cryptocurrency and the wallet addresses to which they are bound. This makes it extremely difficult to track cryptomining activities.
For reference, we list the following cryptographic mechanisms that Monero uses to ensure full privacy and obscurity:
a. Ring signature: a digital signature in which a group of possible signers are merged together to produce a unique signature for authorizing transactions. This makes the sender untraceable.
b. Obfuscated receiving address: transactions can use stealth or one-time addresses to make the receiver untraceable.
c. Ring confidential transactions: the transaction amounts are obfuscated to hide the amount of transactions.
Although there are a number of botnet families conducting cryptomining attacks, XMRig has its own communication mechanism separate from the botnet control mechanisms. By identifying and capturing these communications, defenders can detect cryptomining events and further determine their scale.
Our analysis of cryptomining events in the past two years show that botnet families are, at first glance, irregular in the use of cryptominers.
Deeper analysis shows that the trend of cryptomining events is directly related to the price of Monero. In the fourth quarter of 2017, the price of Monero reached a record high making cryptomining an extremely lucrative business. This led to a sudden influx of botnet groups switching to cryptomining. However, as the cryptocurrency price fell in the second half of 2018, a sharp drop of cryptomining events was also seen. In the fourth quarter of 2018, the number of cryptomining events rose a bit, which may be related with the explosive growth of Monero transactions in this quarter.
For the prices and transaction volumes of Monero in the past two years, see the following figure from WorldCoinIndex7 .
While there is a significant increase in interest in blockchain technology, the cryptocurrency market has suffered a serious decline in the last year. Even if geopolitical events in the coming months may again contribute to a rise in the price of cryptocurrency, we think that the possibility of new cryptominer families emerging are very small. Despite that, considering the number of cryptomining events rising in the fourth quarter, we should still be on the lookout for such behavior. It would be prudent to add identifying cryptominer traffic to security monitoring and threat hunting processes. Once seen, analyses of their communications would help identify botnet families and the development of a mitigation strategy for blockin the attacks at the payload delivery and attack execution stages.
To be continued.