Hacker Tactics - Part 4: Cryptominers

March 8, 2018 | Brady Sullivan

Adversaries are constantly changing and improving how they attack us. In this six-part series we’ll explore new or advanced tactics used by threat actors to circumvent even the most cutting-edge defenses.

Cryptocurrencies, like Bitcoin or Ethereum, have become exponentially more popular over the last year. Due to the vast influx of new users to these technologies, the market for cryptocurrencies has skyrocketed. By the end of 2017, the price of Bitcoin increased in value by about 750%, with most other cryptocurrencies not far behind. Because of this, cybercriminals have caught on to the fact that there is a lot of money to be made in both stealing and mining cryptocurrencies.

What are Cryptominers?

Cryptominers are software that “mine” cryptocurrency. Cryptocurrencies are generally based on blockchain technology, which requires an extensive amount of computational power to keep alive. In order for these currencies to work, computers around the globe must be constantly working towards solving various computationally heavy math problems. Those who contribute computational work to the blockchains are then rewarded with an amount of the cryptocurrency proportional to the work done.

Cryptominers can be found in any type of malware. They are often configured to run in the background of your computer, turning on when they notice little user activity. When they turn on, it is generally noticeable that the computer becomes sluggish as more power is being used to mine cryptocurrencies instead of for normal tasks such as web browsing. These cryptominers will often immediately turn off when they see human interaction so as to avoid suspicion.

When cryptominers are running you will hear much faster fan speeds on the computer as the CPU will be running hotter than usual from the extra computation. This can damage older, poorly ventilated machines and shorten the lifespan of newer machines. It will also drain the batteries of laptops or mobile devices incredibly fast.

Why are they used?

By leveraging hundreds of infected machines, cybercriminals can use this computational power to mine a given cryptocurrency. As a reward for contributing computational power, cryptocurrency is deposited into a wallet that is controlled by the attacker, letting them directly profit off of the stolen CPU cycles. One campaign that was tracked by ESET netted the thieves $63,000 worth of Monero over the course of only three months.

How are they used?

Cybercriminals are starting to move away from schemes such as ransomware where they can make large amounts of money, quickly, but end up exhausting their victims after the first ransom. Instead of using up infected machines in one-off payouts, it is common to see cryptominers installed. This provides a steady, recurring payment back to the criminals.

It is also becoming more common to find cryptominers embedded in the advertisements of web pages. This means by simply visiting a website you will start to generate income for either the owner of the website, if they purposefully put it there, or for a criminal who has compromised the website or advertisement agency.


Cybercriminals have used cryptocurrencies for quite a while now but mostly as a form of untraceable payment. Darkweb forums and markets often sell malware and other nefarious goods using anonymized cryptocurrencies such as Monero or ZCash. Cryptocurrency is also the only method of payment in modern ransomware infections, where victims must send money to the attacker in exchange for their files back.

The first cryptocurrency, Bitcoin, was started in 2009. Since then, several different cryptocurrencies have emerged. These all rely on vast amounts of computational power to function. Cryptominers have been found in malware for a number of years now, but only recently has it become overwhelmingly profitable. Cybercriminals have noticed and shifted their attacks accordingly. They are now installing long running cryptominers onto victims’ machines. Drive-by miners in online advertisements are also becoming much more popular.

Legitimate use of browser based mining is also becoming more widespread, as website owners are now attempting to supplement or replace advertisement income with cryptomining. This allows websites to limit or remove annoying advertisements from websites, something users greatly appreciate, and instead replace it with a silent payment system by using the users’ processing power while they visit the site.

Because of the illegitimate use of cryptomining software, anti-malware tools, such as Malwarebytes, have blocked this legitimate traffic in addition to the malicious traffic. This opens up the problem of how to determine legitimate usage from illegitimate usage, and if it is still viable to use cryptomining as a substitute for advertisements.

How do you defend against Cryptominers?

Anti-malware and IoC hash alerting is a first layer of defense against unwanted software running on your systems. While this type of malware isn’t particularly destructive, it is best to remove infections as soon as possible. Since cryptominers make more money with more infections, it is likely to be highly contagious to other systems on the network.

In addition to defending against malware signatures, there are network based indicators that can also be used to detect an infection. Cryptominers need to communicate back to a swarm, or pool, in order to receive payment for the computational work they output. By alerting on these network connections, you will be able to spot cryptomining in its early stages.

Anomalous resource usage is another indicator of cryptomining as CPU and GPU usage will increase dramatically. Some malware will only turn on mining when they believe the computer is not being used, which means you may not notice a spike in resource use during regular hours. Instead, look for high usage during off hours for a high fidelity indicator of malicious activity on the system.

Click here to check out the third part of this series, Adversarial Machine Learning.

Brady Sullivan
About the Author

Brady Sullivan

Brady Sullivan is a part of the Intelligence Acquisition team at Anomali where he focuses on the latest vulnerabilities and threat campaigns affecting the industry. He has spent the last 10 years as a security practitioner, researching and defending against cyber threats. Brady is a Portland State University graduate with a BS in Computer Science and is a privacy and security advocate.

Get the latest threat intelligence news in your email.