Palo Alto Networks malware researcher Josh Grunzweig has identified a massive 470,000 unique malware samples that hijack computers to mine cryptocurrency.
Of the samples, an “incredible monopoly” (84 percent) focus on mining Monero (XMR), he said in a Unit 42 (the company’s threat detection arm) report published Monday.
“I’ve found myself continually being in the position of researching a new threat or campaign that results in the delivery of a cryptocurrency miner… I began to investigate how many cryptocurrency miners have historically been identified within Palo Alto Network’s WildFire platform. In doing so, I found a radical upward trend,” he said.
Sampling the Wares
The researcher collected 629,126 total malware samples and analysed 3,773 emails used to connect with mining pools for the research.
He identified links to 2,341 Monero wallets; 981 Bitcoin (BTC) wallets; 131 Electroneum (ETN) wallets, 44 Ethereum (ETH) wallets and 28 Litecoin (LTC) wallets.
A massive 531,663 of the malware samples were mining Monero, he found. Those behind the malware have made nearly $144 million from their activity, he estimated.
“I extracted a total of 2,341 Monero wallets from the analyzed sample set… Looking at the top ten mining pools used by this malware, I determined that all but one allows for anonymous viewing of statistics based off of the wallet as an identifier. This anonymous viewing is intentional, as it allows users to anonymously connect and use various mining pools without inputting any personal identifiable information.”
He added: “By querying the top eight mining pools for all 2,341 Monero addresses, I was able to determine exactly how much Monero has been mined historically with a high degree of accuracy. By querying the mining pools themselves, instead of the blockchain, we’re able to say exactly how much has been mined without the fear of the data being polluted by payments to those wallets via other sources.”
“Incredibly Profitable”
Defeating cryptocurrency miners being delivered via malware is a difficult task, as many malware authors limit the CPU utilisation, or ensure that mining operations only take place during specific times of the day or when the user is inactive, Palo Alto Networks noted. Additionally, the malware itself is delivered via a large number of methods, requiring defenders to have an in-depth approach to security.
“Palo Alto Networks customers have a number of means to combat this threat on their networks, including Traps and Wildfire detections for cryptocurrency miners delivered via malware. Additionally, the stratum App-ID may be used to identify cryptocurrency mining activity and take appropriate actions on it,” the report concluded.
