Cryptographic hijacking is an illegal process. Hackers hijack users’ computing power to mine cryptocurrencies, such as Bitcoin and monero. Then the money is sent to the hacker who controls the software.
Computers infected with encrypted hijacking malware run much slower, and victims don’t even know that their computers are being attacked, because "coin mining" malware is difficult to find. Once a machine is invaded, malicious applications will run silently in the background, and there is only one feature: performance degradation. As malware increases power consumption, the machine will slow down and bring an unwelcome bill to the owner, because the energy required to mine bitcoin may be between $531 and $26,170.
Although encryption hijacking is a relatively new threat, a recent report from the Cyber Threat Alliance (CTA) shows that the rate of illegal encryption hijacking has increased by 459% this year. According to a report released by McAfee Labs in September, after an increase of about 400,000 in the fourth quarter of 2017, in the first quarter of 2018, the number of new encrypted mining malware samples increased by 629%, exceeding 2.9 million. This trend continued in the second quarter, the total sample size increased by 86%, and more than 2.5 million new samples were found.
A new silent killer: WebCobra
Researchers in McAfee Lab have now discovered a new Russian encryption hijacking malware called "WebCobra". According to the architecture discovered by WebCobra, WebCobra infected the victim’s computer by quietly deleting and installing Cryptonight miners or Claymore’s Zcash miners. McAfee researchers believe that this threat is realized by rogue PUP installers, and it has been monitored all over the world, with the largest number of infected people in Brazil, South Africa and the United States.
Although McAfee researchers are not entirely sure how this threat spreads, the uniqueness of WebCobra malware is that it tries its best to know the victim’s system.
Raj Samani, the chief scientist and researcher in mcphee, told me: "What’s particularly interesting about WebCobra is that it can learn all the information about users’ systems, such as what kind of architecture they are running, whether they have anti-virus technology and so on. This cryptocurrency mining malware is also uncommon because it sends different miners according to the configuration of the infected machine. For example, the main virus releaser is a Microsoft installer, which checks the running environment. On x86 system, it injects Cryptonight Miner code into the running process and starts a process monitor. On x64 systems, it checks the GPU configuration and downloads and executes Claymore’s Zcash Miner from a remote server.
After startup, WebCobra malware will delete and decompress the Cabinet archive file with password protection:
Commands for extracting deleted files MCAFEE RESEARCH
Samani said: "WebCobra is an annoying infected virus-once you are infected, you can’t even find it." If there is no updated security software on your computer and it runs slowly, you may not even know why. With ransomware, there is usually a big splash on the screen to tell you that your computer has been infected. WebCobra is an infection that quietly uses your computing resources in the background.
The rising price of cryptocurrency encourages cryptohijacking.
McAfee researchers also found that the rise of cryptohijacking, especially in the case of WebCobra, is related to the rise of cryptocurrency prices. The increase in the value of cryptocurrency urges cyber criminals to use malicious software to steal machine resources and exploit cryptocurrency without the consent of the victims.
For example, the following chart shows how the popularity of miners’ malware changes with the price of Monero cryptocurrency:
Samani said: "The development of cryptohijacking is closely related to the price of cryptocurrency. With the rising price in digital currency, people will naturally want to mine more. In the example above, when the price of Monero rises, you will see the growth of malware mining. As the price of Monero drops, you will see the reaction of malware. As the value of digital currency has increased, we have seen an increase in encryption hijacking.
organized crime
Although consumers seem to know encryption hijacking best, this form of organized crime is also affecting the government and enterprises.
Samani explained: "Encryption hijacking is not only aimed at consumers, but also at enterprises. If you pay for processing power in a cloud environment, there will also be direct costs. Generally speaking, this is just a numbers game. The more systems hackers infect, the more money they make. If you are running an encrypted hijacking activity, you probably don’t care where these people and businesses come from. People also need to understand that this is not only a problem of your computer slowing down, but actually it will cost you money in the long run. What we are talking about is that organized criminal gangs run these scams, making encrypted hijacking a form of organized crime in which victims help provide fuel. "
Recently, researchers found that hackers stole the processing power of several Indian government websites and used it for cryptocurrency mining. There are hundreds of Indian websites where citizen portals such as Andhra Pradesh Municipal Government, Tirupati City Company and Macera City have been found to be infected with password hijacking malware. Government websites, in particular, are easy to be stolen because of high traffic and people tend to trust these websites.
Encryption hijacking is also aimed at enterprise systems. PublicWWW found that there are more than 100 sites running Coinhive javascript to mine Monero coins. The same script has infected more than 200,000 ISP-level routers, and it is one of the three most important encryption mining malware on the website.
In addition, in some cases, the target of encryption hijacking is a specific group, rather than a potentially wide range of victims. In a forum in Russia, an encryption hijack malware attacked players, pretending to be the "Ministry of Defense", claiming to enhance popular games. Gamers are tricked into downloading malicious software and then using their computer resources to make a profit.
When encryption mining malware is mainly aimed at PC, other devices also become victims. For example, Android phones in China and South Korea have been used by ADB.Miner malware to produce Monero cryptocurrency for their criminals.
Protect yourself from encryption hijacking
Unfortunately, as cyber criminals use this relatively simple way to steal value, coin mining malware will continue to develop. Mining coins on someone else’s system requires less investment and risk than ransomware, and does not depend on the proportion of victims who agree to remit money. Users can get a lot of benefits before they know that they are miners who support crime.
However, some steps can be taken to protect the system from the infection of encrypted mining malware. According to Samani, no form of secure system is more vulnerable to hacker attacks.
There must be good network hygiene here. For example, don’t click on random links. As far as known mining software is concerned, it is very important to update security software. There are other things that can help you, such as adding extensions to the browser, which can detect abnormal loads in CPU use. However, WebCobra virus is carried out secretly. Of course, if your computer runs slowly, it doesn’t mean that you have become a victim of encryption mining, but you need the right technology to identify this problem. “