The Increasing Threat of Banking Trojans and Cryptojacking
Blockchain is one of the hottest and potentially among the most disruptive technologies today. So naturally, it’s a magnet for the criminal element, which is skilled at keeping up with new digital trends and finding ways to cash in.
The market for cryptocurrency has exploded in the last couple of years. A University of Cambridge benchmarking study estimated that total cryptocurrency market capitalization more than tripled between 2016 and 2017 to reach $25 billion. By June 2018, the number of Blockchain wallet users had risen to 25 million worldwide — double the recorded amount from Q1 2017 and quadruple the amount from Q1 2016.
The criminal activity associated with digital currency reflects this growth. Carbon Black estimates that just in the first half of 2018, cryptocurrency-related thefts have totaled more than $1.1 billion. According to Carbon Black, an estimated 12,000 dark web marketplaces are selling about 34,000 offerings related to cryptotheft, with a $6.7 million “illicit economy built from cryptocurrency-related malware development and sales.”
One of those illicit activities, cryptojacking — malware that steals computer resources to mine for cryptocurrency — has been on the rise in the past few months. Another growing trend is banking Trojans, an older type of malware, now being made to target cryptocurrency rather than online banking.
Banking Trojans in general are also going through resurgence, especially with old families coming back reinvented. Based on the recent rampant activity related to both banking Trojans and cryptojacking, along with concurrent decreased activity in ransomware, some security researchers see both of them replacing ransomware as a major threat.
Cryptojacking: The Silent Resource Thief
Coin mining validates cryptocurrency transactions through computational problems, recording the transactions in a public ledger called a blockchain. Solving this complex math requires intensive computer resources. While mining for digital coins is perfectly legal, cybercriminals have figured out how to cut corners by commandeering other people’s computing resources.
“(Cryptojacking) is a way for cybercriminals to use someone else’s resources to mine for cryptocurrency. It reduces the need for them to buy and put together a massive machine to do the work themselves. It’s a way to get more money with less risk,” says Jeremy Scott, one of the Global Threat Intelligence Center directors at cybersecurity and risk-management company NTT Security.
Besides the high return on investment, coin mining has a low barrier to entry — it only takes a couple of lines of code. According to Digital Shadows, mining botnets are also available for rent on the dark web for as little as $30.
Another appealing factor for threat actors is that coin mining is more difficult to detect compared to some other types of unauthorized activity. And cybercriminals are boosting their chances by using more sophisticated techniques like fileless software.
“The binaries used to perform mining operations are legitimate software applications in a sense,” Scott says. “It is only using system resources to carry out the work and not logging keystrokes or exfiltrating sensitive data.”
While it may be difficult to quantify how much cryptocurrency is being mined through malicious means, a Palo Alto Network researcher estimated recently that to date, $175 million worth of the popular coin Monero has been mined maliciously. This accounts for 5 percent of the Monero in circulation as of June 2018.
Cryptojacking is in its infancy, but patterns being observed by various security researchers indicate that threat actors have been ramping up. Here are some examples:
- Symantec’s 2018 Internet Security Threat Report noted that the “coin mining gold rush resulted in an 8,500 percent increase in detections of coin miners on endpoint computers in 2017.”
- Earlier this year, Malwarebytes found a drive-by cryptomining campaign for the Monero cryptocurrency that targeted millions of Android users. While mobile phones don’t offer as much computing power as desktops, they provide attractive targets for such tactics: in addition to being widespread, most mobile devices aren’t being used with web-filtering software the way computers are.
- Secureworks reportedly saw cryptocurrency-mining alerts among its clients grow from 40,000 to 280,000 between May and October of last year, with the number remaining high through this year.
- Microsoft said that of the so-called “potentially unwanted applications” (PUAs) blocked by Windows Defender AV, coin miners made up 2 percent in September 2017. This had tripled to 6 percent by January 2018.
- Proofpoint discovered a cryptomining botnet that, as of January 2018, had earned its operators millions of dollars.
- McAfee saw a 1,189 percent jump in coin-mining malware in first quarter of 2018, noting that “attackers targeting cryptocurrencies may be moving from ransomware to coin-miner malware.”
Although coin miners may seem somewhat benign, Scott says it’s nonetheless a threat to organizations because it’s an unauthorized use of the system.
“Cryptojacking is potentially just a component of a larger intrusion,” he says. “Since cryptojacking can be a drain on system resources, it could also negatively impact the network or website stability.”
Banking Trojans: The New Ransomware Competition
Coin mining has met its match in banking Trojans. When banker Trojans first showed up a little over a decade ago, their purpose was to steal online banking access. As they kept up with new trends, they’ve expanded from online transactions to mobile banking, booking apps and other targets. And now, they are being used to steal cryptocurrency from wallets and exchanges, and to install coin miners.
One example of this evolution is TrickBot, whose variants have been circulating in the wild for a couple of years. The banking Trojan expanded to payment processors and even customer relationship management (CRM) software last year, and now bitcoin owners are its latest victims. According to IBM X-Force researchers, the cryptocoin attacks rely on the typical TrickBot tactic of web injections, a “man-in-the-browser” type of attack that uses malware to modify web pages before they’re displayed to the user.
In the first half of the year, ransomware payloads delivered via email have decreased significantly, while banking Trojans took the lead as the most common category. In the second quarter of 2018, Proofpoint found that 42 percent of email malware was banking Trojans, versus only 11 percent of ransomware.
Other widely-observed banking Trojans this year include:
- Zeus Panda — A Zeus malware spinoff, Zeus Panda has been involved in several recent campaigns targeting cryptocurrency exchanges and social media, among other things. An F5 analysis of four campaigns between February and May showed that 26.4 percent of attacks targeted cryptocurrency, while 64.3 percent were for the typical target, financial services.
- Emotet — An advanced modular banking Trojan, Emotet is typically used to drop or download other banking Trojans. It’s disseminated via email using brandjacking (impersonating legit organizations). This Trojan spreads rapidly across an entire network and as a polymorphic malware, constantly changes to evade detection. A July US-CERT alert said that Emotet is among the most destructive malware strains affecting both the public and private sectors and has cost governments of all levels up to $1 million per incident in remediation.
- Dorkbot — This banking Trojan, which first surfaced in 2012, affected 7 percent of organizations globally this past June, according to Check Point. This moved it to the security vendor’s
No. 3 spot on its “most wanted” list. Dorkbot steals login credentials and can also launch denial-of-service attacks. Check Point saw a 50 percent spike in banking Trojans in June, a pattern similar to June of previous year, and researchers speculated that the threat actors may have been trying to capitalize on the tourist season, when people are more likely to use public Wi-Fi spots and are less vigilant in general while on vacation.
Scott says that banking Trojans are effective because they don’t require a lot of sophistication to execute. The stage 1 downloader often comes as an Office attachment, which looks legitimate and uses topics that are likely to bait the recipient into clicking, he says.
“The cybercriminal leverages a spam infrastructure to mass mail a harvested list of email addresses and waits for the targets to open the attachment,” he says.
Scott notes that ransomware typically uses similar techniques, but the difference is in how the threat actors monetize. Ransomware needs a victim willing to pay, whereas banking Trojans log the user’s credentials, which can be then used to perform transactions on the user’s behalf.
“The amount of people using online banking and other financial transactions far outweigh the amount of people willing to pay a ransom to get their files back,” he says.
As with any malware, Scott says users need to be vigilant.
“Use email filtering when possible — most banking Trojan email campaigns can be caught by using an email filtering proxy,” he says. “Have a questioning mindset and validate the legitimacy before opening or clicking any links.”
Cryptocurrency Gold Rush on the Dark Web, Carbon Black
Global Cryptocurrency Benchmarking Study, University of Cambridge Judge Business School
The Rise of Cryptocurrency Miners, Palo Alto Networks Unit 42
2018 Internet Security Threat Report, Symantec
Drive-by cryptomining campaign targets millions of Android users, Malwarebytes Labs
Mobile malware evolution 2017, SecureList
The New Gold Rush, Digital Shadows
Cryptojacking threat continues to rise, Dark Reading
TrickBot’s Cryptocurrency Hunger: Tricking the Bitcoin Out of Wallets, SecurityIntelligence (IBM)
Quarterly Threat Report, Q2 2018, Proofpoint