Research

The state of cryptojacking in the first three quarters of 2022

Cryptocurrency prices were dropping from the end of 2021 and throughout the first half of 2022. Although finance experts and retail investors estimate crypto to have a solid chance of recovery in the long term, at the time of writing this report the prices remain low. However, cybercriminals are capitalizing on this vulnerable industry more than ever. From advanced APT campaigns targeting crypto organizations (BlueNoroff, NaiveCopy, etc) to various types of hastily made crypto scams, we observe threat actors diversifying their malicious activity against crypto investors — and not only them.

In fact, cybercriminals hunting for crypto can target anyone. Apart from cryptocurrency theft they extort digital money or illicitly mine it using victim’s devices instead of their own. Cryptocurrency mining is a painstaking and costly process, and not as rewarding as when the prices were high. However, it still attracts even legitimate miners. This can be explained, on the one hand, by the falling cost of mining equipment and, on the other, by less efficient market players having left the game, allowing those who remain to increase their market share. Cybercriminals pay neither for equipment, nor for electricity, which is rather expensive in 2022. They install mining software on the target computer to use its processing power without the victim’s consent. Moreover, malicious mining, or cryptojacking, does not require a lot of narrow technical expertise. In fact, all the attacker needs to know is how to create a miner using open-source code, or where to buy one. If the cryptomining malware is installed successfully on the victim’s computer, it delivers its operator stable earnings. In this report we analyze cryptojacking activity in the first three quarters of 2022, and provide some relevant statistics and insights.

Methodology

This research aims to define the state of cryptojacking in the current threat landscape. The data in this report has been taken from aggregated threat statistics obtained from a variety of sources that include our internal sources, open sources, etc. The main tool we use to obtain and analyze threat-related data is Kaspersky Security Network (KSN). KSN is dedicated to processing cybersecurity-related depersonalized data streams from Kaspersky products whose users consented to anonymized data collection. The metrics provided in this report are based on the number of distinct users of Kaspersky products with KSN enabled who encountered cryptominers at least once in a given period, as well as research into the threat landscape by Kaspersky experts. All analyzed data is anonymized.

In this report, we examine the main motivation factors for cybercriminals resorting to malicious mining, as well as the most widespread ways of propagation into the victim’s computer. The threat landscape of hidden mining malware is analyzed through a close examination of new malware modifications, the number of affected users, and their geographical distribution. Additionally, we look into certain cryptojackers’ wallets to get some insight into the amount of money they receive.

The statistics in this report are provided for the first three quarters of 2022. The data from 2022 is compared to data from 2021 to assess year-on-year development trends in cryptojacking.

Key findings:

  • Malicious mining programs are widely distributed through unpatched vulnerabilities in operating systems. In Q3 2022, nearly one in six cases of exploiting well-known vulnerabilities was accompanied with miner infection.
  • In Q3 2022, the number of new variants of miners saw more than triple growth when compared to Q3 2021, and exceeded 150,000.
  • Q1 2022 saw the biggest number of users (over 500,000) affected by malicious mining software, and the smallest number of new malicious miner variants.
  • The country with the highest number of attacked users was Ethiopia, where cryptocurrencies are banned officially.
  • Monero (XMR) is the most popular cryptocurrency for malicious mining.

To mine or not to mine?

Cryptojacking is becoming more prominent in the global threat landscape. This year we saw various types of attackers switching their attention to crypto mining. For example, AstraLocker, a major ransomware operator, shut down this activity to pursue cryptojacking. One of the main reasons for that shift may lie in the fact that malicious mining is one of the easiest ways to earn passive income. While ransomware operators pursue bigger money, not every attack results in the ransom being paid. Miners, on the contrary, just infect the machine and earn a stable profit for their operators. Moreover, unlike ransomware, which announces its presence as soon as the victim files are encrypted, mining malware can remain in the target system unnoticed for months or even longer.

Ways of propagation

There are many ways to distribute miners, and most of them are similar to the methods of distribution of any other type of malware.

One of the most popular miner distribution methods is through malicious files masquerading as pirated content. Cybercriminals actively lure their victims with trendy films, music, games, and software to spread malicious mining programs. They can distribute them through specially crafted landing pages, as well as via torrent links.

While the method described above affects mostly consumer devices, there are a number of distribution methods for delivering miners to more powerful equipment used by businesses. They include hacking the victim’s server using leaked or bruteforced credentials, worm-like spreading through flash drives or network storages, and distributing miners through unpatched vulnerabilities in the OS and other software.

Not always malware

Interestingly, cybercriminals use not only malware to mine digital currency without users’ consent. They try to avoid detection and save resources on malware development using legitimate mining programs with open-source code. By themselves, these tools do not contain malicious functionality, but they can be loaded by mining malware and used for cryptojacking.

 Example of legitimate programs used by cryptojackers to covertly mine Ethereum (ETH), Ravencoin (RVN), Ethereum Classic (ETC), and Ergo (ERG), according to our statistics

Example of legitimate programs used by cryptojackers to covertly mine Ethereum (ETH), Ravencoin (RVN), Ethereum Classic (ETC), and Ergo (ERG), according to our statistics

Cryptojacking in numbers

Vulnerability exploitation and miners

Unpatched vulnerabilities pose a serious challenge to users, while being an appealing lure for cybercriminals who exploit them to spread malicious activity. Our telemetry shows that miners are one of the most widespread types of threats when it comes to attacks via vulnerable software. Moreover, 2022 saw an increase in the share of hidden mining software distributed through well-known vulnerabilities. This year, nearly one in seven attacks exploiting such vulnerabilities was accompanied with miner infection. In Q3, miners became even more widespread than backdoors, which were the prime choice of cybercriminals throughout the first half of 2022, and accounted for one sixth of all vulnerability exploitation attacks.

TOP 4 malware types that attackers tried to launch as a result of exploiting vulnerabilities, Q1–Q3 2022 (download)

Let’s look at some specific services whose vulnerabilities are often used in cyberattacks. In Q1 2022, 14% of SQLAgent vulnerability exploitation cases resulted in miner infection, and in Q3 2022 this number grew slightly to 16% of all SQLAgent attacks.

TOP 4 malicious and unwanted file types installed via SQLAgent vulnerabilities, Q1–Q3 2022 (download)

The share of mining software loaded as a result of exploitation of LSASS-related vulnerabilities grew as well, from 17% in Q1 2022 to 19% in Q3.

TOP 4 malicious and unwanted file types installed as a result of exploitation of LSASS-related vulnerabilities, Q1–Q3 2022 (download)

New modifications and affected users

The overall number of new modifications of malicious mining software also increased dramatically in 2022. From January to the end of October 2022, Kaspersky solutions detected 215,843 new modifications of miners. This is more than twice the rate for the same period in 2021, when the number of modifications edged slightly over 100,000.

Notably, the number of new variants of such programs skyrocketed in Q3 2022. Compared to Q3 2021, that was more than threefold growth. Thus, in Q3 2022, the number of new malicious miners exceeded 150,000. This may be explained by the fact that after hitting their lowest rates in late June and the beginning of July, cryptocurrencies grew slightly at the end of the month. Cybercriminals may have increased their activity in anticipation of further growth that did not happen.

Number of new miner modifications, Q1–Q3, 2021 and 2022 (download)

Interestingly, during the period of analysis, the biggest number of affected users was registered not in Q3, which experienced a surge in new miner modifications, but in Q1, when the number of new modifications was the lowest.

Number of users affected by miners, Q1–Q3, 2021 and 2022 (download)

Attack geography

Interestingly, the most targeted country in Q3 2022 was Ethiopia (2.38%), where it is illegal to use and mine cryptocurrencies. Kazakhstan (2.13%) and Uzbekistan (2.01%) follow in second and third place.

TOP 10 most targeted countries by share of users encountering miners, Q3 2022:

Country* % of users attacked by miners**
1 Ethiopia 2.38%
2 Kazakhstan 2.13%
3 Uzbekistan 2.01%
4 Rwanda 1.93%
5 Tajikistan 1.83%
6 Venezuela 1.78%
7 Kyrgyzstan 1.73%
8 Mozambique 1.57%
9 Tanzania 1.56%
10 Ukraine 1.54%

* Excluded are countries where the number of Kaspersky users is relatively small (less than 50,000)
** Percentage of unique users whose devices were attacked by miners, from all unique users of Kaspersky products in the country.

Fourth place goes to Rwanda (1.93%), and fifth to Tajikistan (1.83%). The sixth most attacked country is Venezuela (1.78%), which is known to be among the first nations in the world to introduce a national cryptocurrency, Petro.

Let’s talk money

We took a closer look into the mining attacks to get some understanding of which coins are more popular among cybercriminals, and how much money they make mining these coins. For this we analyzed mining malware samples that were detected by our products in September 2022, extracted cryptocurrency wallet addresses from them, and monitored transactions to these wallets from January 1, 2022, through September 30, 2022. Note that there are other miner samples, as well as other wallets out there that are not represented in these statistics. Note also that we cannot distinguish mining transactions to the monitored wallets from other types of transactions.

Most of the analyzed samples of malicious mining software (48%) secretly mine Monero (XMR) currency via the victim’s engine. This currency is known for its advanced technologies that anonymize transaction data to achieve maximum privacy. Observers cannot decipher addresses trading Monero, transaction amounts, address balances, or transaction histories — all these factors are extremely appealing to cybercriminals.

Most popular digital cryptocurrencies mined via cryptojacking (download)

The world’s most popular cryptocurrency, Bitcoin (BTC), was cybercriminals’ second choice with a share of 17%; while Ethereum (ETH), which is most frequently used to exchange NFTs, closes the Top 3 with 14%. Other cryptocurrencies mined by cybercriminals are Litecoin (LTC), Bit Hotel (BTH), Dash (DASH), Dogecoin (DOGE), and Neo (NEO).

Cybercriminal profits vary greatly from wallet to wallet. Bitcoin wallets we monitored on average received 0.08 BTC or around US$1.6K per month. However, one Bitcoin wallet showed significantly greater transaction amounts. In September 2022, for example, it received nearly 1.79 BTC, the equivalent of more than US$34K at the time of research.

Conclusion

Even though the world is facing a crypto winter with digital currencies losing their value, cryptocurrencies remain appealing for cybercriminals. The rise in the number of cryptojacking attacks goes hand in hand with the rising number of new program modifications and diversified ways of propagation. Hidden mining is a profitable activity which requires minimum effort; therefore, cybercriminals will continue to try to gain profit this way. Although hidden mining doesn’t cause direct financial damage to victims, it lowers the performance of infected systems, at the same time as increasing the electricity costs for victims. Therefore, companies and users should remain alert to the current threat trends and get ready for the crypto spring ahead of us.

To ensure no one is using your home equipment for their own profit, follow these tips:

  • Use reliable security solutions that protect your computer and other devices from mining malware.
  • Download software and media from official sources; remember that pirate files can contain a malicious payload.
  • Do not forget to update your operating system and other software.

To keep your corporate devices protected, we recommend:

  • Always keeping software updated on all devices you use so as to prevent attackers from infiltrating your network by exploiting vulnerabilities.
  • Introducing strict cybersecurity policies in your organization to avoid a situation when employees use corporate computing power to mine crypto coins or install malicious software on corporate equipment by accident.
  • Using a dedicated security solution such as Kaspersky Endpoint Security for Business that can quickly detect and eliminate malicious activity, as well as help manage vulnerabilities and patches.

The state of cryptojacking in the first three quarters of 2022

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q3 2022

This is our latest summary of advanced persistent threat (APT) activities, focusing on events that we observed during Q3 2022.

APT10: Tracking down LODEINFO 2022, part I

The first part of this report will provide technical analysis of the new infection methods such as SFX files and DOWNIISSA, a new downloader shellcode used to deploy the LODEINFO backdoor.

Subscribe to our weekly e-mails

The hottest research right in your inbox