Monero is a popular form of cryptocurrency, and it’s also the most common digital coin for cryptomining malware. There are two main reasons for Monero’s popularity with cyberattackers. The first is, it’s the cryptocurrency that’s generated by the Coinhive web-based cryptominer, which when deployed (with the consent of website owners and webpage visitors), is actually not malware.
What does Monero say?
As described in Monero’s recent press release: “Monero is a powerful tool that prioritizes privacy, security, decentralization, and fungibility. It includes several design components, including an accessible Proof of Work (PoW) algorithm and mandatory privacy to better meet these objectives. Monero is most often used for good. Thousands of transactions per day are used for speculation, securing the network, and for everyday purchases. Several nonprofits including UNICEF Australia, BailBloc, and Change.org allow users to mine Monero by simply visiting a website. The proceeds support various philanthropic causes. Other websites allow users to opt-in to mine instead of viewing advertising.”
Monero’s developers are especially proud of how Monero cryptominers can generate money for charitable organizations. But there’s another aspect of Monero’s popularity with cryptojacking cyberattackers, as described by Brian Krebs earlier this year: “Monero differs from Bitcoin in that its transactions are virtually untraceable, and there is no way for an outsider to track Monero transactions between two parties. Naturally, this quality makes Monero an especially appealing choice for cybercriminals.”
For the time being, the Monero Malware Workgroup website at mrw.getmonero.org is only posting in English, but other languages will likely become available soon. It starts with a friendly introduction:
Hello.
You’re probably here because you’ve got a Monero malware problem. We’re here to help.
First, please understand that Monero itself is not a malicious technology. It’s a neutral, safe, and private cryptocurrency. A financial tool, if you will. Unfortunately, like any tool, it can be used by malicious people to exploit others.
The Monero Malware Response Workgroup provides resources and live support for multiple types of malware. Let’s identify your issue. Keep scrolling.
What do experts say?
Krebs goes on to say, “Coinhive released its mining code last summer, pitching it as a way for website owners to earn an income without running intrusive or annoying advertisements. But since then, Coinhive’s code has emerged as the top malware threat tracked by multiple security firms. That’s because much of the time the code is installed on hacked websites — without the owner’s knowledge or permission.”
The malicious origins of Monero generation is likely hurting the cryptocurrency’s reputation. So as a result,a Monero Malware Response Workgroup was announced on September 26—an educational website with the aim of limiting the ability of cyberattackers to use Monero as their cryptocurrency of choice.
Krebs explains, “We created a set of resources that explain the basics of Monero and mining. We also have resources explaining and helping stop or remove unwanted in-browser mining, system mining, and ransomware. The website is purposefully approachable to absolute newcomers so that anyone can understand, though it offers actionable information that novices and experts alike can follow. It’s our mission to resolve an unfortunate situation as well as possible.”
“The Monero Malware Workgroup is a self-organized set of volunteers that maintain these resources and provides live support. In the future, we will provide support from our website directly,” according to Krebs.
What can affected users do?
Specific help is divided into three categories:
- Unwanted In-Browser Mining
- Unwanted System Mining
- Ransomware
Unwanted In-Browser Mining pertains to incidents in which users suspect that website-based cryptomining malware is their problem, such as the frequent malicious uses of Coinhive. Unwanted System Mining is for suspected cases of malicious cryptominers outside of the web browser, running directly in an operating system such as Windows. Ransomware is for suspected cases of malware that encrypts a target’s files and demands a cryptocurrency ransom for decryption, in this case in the form of Monero.
Mining cryptocurrency involves making a computer or a network of computers make complex cryptographic calculations, as the complexity of cryptography assures the authenticity of the digital manifestation of cryptocurrency money. As Blockchains, the ledgers of cryptocurrency transactions get increasingly lengthy, and those calculations become more and more complicated. All of these calculations take a real toll on a computer’s CPU and memory.
Some cryptomining software will limit the percentage of CPU and memory use per machine, either maliciously to evade detection, or non-maliciously so users can do other things with their computer simultaneously. Both malicious and non-malicious implementations of cryptocurrency mining need multiple computers in order to have any sort of worthwhile generation power. If PCs, mobile devices, and IoT devices are doing the cryptomining, a great number of them will need to be used in a synchronized fashion to generate a little bit of Monero.
Legitimate uses of Coinhive, such as its deployment by Salon’s website which asks users for permission, need to have lots of users at any given time to be visiting their webpages. For the duration of the webpage’s lifespan in a user’s web browser, a little bit of their computing power is used to generate Monero in concert with other simultaneous users.
Cyberattackers may do everything that Salon does, but without the permission of users, the website owners, or both. Alternatively, a cryptominer can be a part of a malicious botnet scheme. A botnet is when a series of computers found through the internet are infected with zombie malware which enables a cyberattacker from a command and control server to control all of the infected computers and get them to work together for malicious purposes, such as deploying distributed denial of service attacks. Or of course, to work together to maliciously generate cryptocurrency for the attacker.
Now is a good time for the folks behind Monero to be proactive and try to prevent cyber attackers from using their cryptocurrency. According to a recent report from the Cyber Threat Alliance: “Cryptocurrency mining detections have increased sharply between 2017 and 2018. Combined data from several CTA members shows a 459 percent increase in illicit cryptocurrency mining malware detections since 2017, and recent quarterly trend reports from CTA members show that this rapid growth shows no signs of slowing down.”