Crypto Miners Are Making Money With Your Money: How to Fight Them

The Rise of Cryptojacking

Cryptojacking — the unauthorized use of someone else's computing resources to mine cryptocurrency — has exploded in popularity among cybercriminals. Unlike ransomware, which relies on victims paying a ransom, cryptojacking generates revenue continuously and silently.

How Cryptojacking Works

Browser-Based Mining

The most common form uses JavaScript to mine cryptocurrency directly in the victim's browser:

• Coinhive (now defunct) popularized in-browser mining of Monero (XMR)
• Scripts are injected into compromised websites or served through malvertising
• Mining continues as long as the browser tab remains open
• CPU usage spikes to 80-100%

Malware-Based Mining

More sophisticated attacks install dedicated mining software:

• Delivered through traditional malware vectors (phishing, exploits, drive-by downloads)
• Persists across reboots via scheduled tasks, services, or registry modifications
• Often configured to limit CPU usage to avoid detection
• Popular miners: XMRig, XMR-Stak, CCMiner

Cloud Infrastructure Hijacking

Attackers target cloud environments for their computing power:

• Compromised AWS, Azure, or GCP credentials used to spin up mining instances
• Kubernetes clusters exploited for container-based mining
• CI/CD pipelines abused to run mining workloads
• Can result in enormous cloud bills for victims

Technical Analysis

Monero: The Cryptocurrency of Choice

Most cryptojacking operations mine Monero (XMR) because:

• CPU-friendly algorithm (RandomX): Profitable even on regular CPUs
• Privacy features: Transactions are untraceable by design
• No specialized hardware needed: Unlike Bitcoin, which requires ASICs

Mining Pool Communication

Miners connect to mining pools using the Stratum protocol:

{"id": 1, "method": "login", "params": {
    "login": "wallet_address",
    "pass": "x",
    "agent": "XMRig/6.0"
}}

Persistence Mechanisms

Common persistence techniques observed in cryptojacking malware:

1. Scheduled Tasks: schtasks /create /tn "SystemUpdate" /tr "miner.exe" /sc onstart
2. WMI Event Subscriptions: Trigger mining on system events
3. Service Installation: Register as a Windows service
4. Rootkit Components: Hide the miner from process listings

Detection Methods

Performance Indicators

• Sustained high CPU usage (>80%) without visible cause
• Increased electricity consumption
• System overheating and fan noise
• Slow system performance

Network Indicators

• Connections to known mining pools (e.g., pool.minexmr.com, xmr.pool.minergate.com)
• Stratum protocol traffic on unusual ports
• DNS queries for mining pool domains

Endpoint Detection

• Monitor for known mining executables (xmrig, ccminer, etc.)
• Detect process injection used by fileless miners
• Track CPU usage patterns over time
• Scan browser extensions for mining scripts

Prevention and Mitigation

Browser Protection

1. Ad blockers: Block known mining scripts
2. Browser extensions: NoCoin, MinerBlock
3. Content Security Policy: Restrict JavaScript sources
4. Anti-crypto mining features: Built into Opera and other browsers

Network Defense

1. Block mining pool domains at DNS/proxy level
2. Monitor for Stratum protocol traffic
3. Implement egress filtering to block unauthorized connections
4. Deploy IDS/IPS rules for mining traffic detection

Endpoint Security

1. Keep systems patched to prevent exploitation
2. Application whitelisting to block unknown executables
3. Monitor CPU usage trends and alert on anomalies
4. Scan for cryptojacking malware with updated signatures
5. Implement EDR for behavioral detection

Cloud Security

1. Enable billing alerts to detect unusual spending
2. Monitor for unauthorized instance creation
3. Secure API keys and credentials
4. Audit IAM permissions regularly
5. Implement container security scanning

Conclusion

Cryptojacking represents a shift in the cybercriminal economy from disruptive attacks to sustained revenue generation. While less dramatic than ransomware, the cumulative impact of cryptojacking can be significant. Organizations should implement comprehensive detection and prevention strategies that cover browser, network, endpoint, and cloud environments.