A First Look at the Crypto-Mining Malware Ecosystem: A Decade of Unrestricted Wealth (1901.00846v2)

Abstract: Illicit crypto-mining leverages resources stolen from victims to mine cryptocurrencies on behalf of criminals. While recent works have analyzed one side of this threat, i.e.: web-browser cryptojacking, only commercial reports have partially covered binary-based crypto-mining malware. In this paper, we conduct the largest measurement of crypto-mining malware to date, analyzing approximately 4.5 million malware samples (1.2 million malicious miners), over a period of twelve years from 2007 to 2019. Our analysis pipeline applies both static and dynamic analysis to extract information from the samples, such as wallet identifiers and mining pools. Together with OSINT data, this information is used to group samples into campaigns. We then analyze publicly-available payments sent to the wallets from mining-pools as a reward for mining, and estimate profits for the different campaigns. All this together is is done in a fully automated fashion, which enables us to leverage measurement-based findings of illicit crypto-mining at scale. Our profit analysis reveals campaigns with multi-million earnings, associating over 4.4% of Monero with illicit mining. We analyze the infrastructure related with the different campaigns, showing that a high proportion of this ecosystem is supported by underground economies such as Pay-Per-Install services. We also uncover novel techniques that allow criminals to run successful campaigns.

• The paper identifies that 4.37% of Monero, equating to approximately 58 million USD, is linked to illicit mining activities.
• The paper highlights that some campaigns have generated multi-million-dollar revenues, with one mining campaign yielding about 20 million USD from 163,000 XMR.
• The paper details the use of stock mining tools and advanced evasion techniques, reflecting the sophisticated infrastructure of underground mining operations.

Analyzing the Crypto-Mining Malware Ecosystem: A Comprehensive Study

This paper provides an extensive investigation into the ecosystem of crypto-mining malware over a twelve-year period. The paper focuses on approximately 4.5 million malware samples, of which 1.2 million are identified as malicious miners. The authors offer a detailed analysis using both static and dynamic methods to extract essential insights, such as wallet identifiers and mining pools, and leverage OSINT data to classify samples into campaigns.

Key Findings

1. Preferred Cryptocurrency: The paper reveals that Monero (XMR) is the favored cryptocurrency among cyber-criminals in underground economies. The assessment discloses that 4.37% of Monero’s circulation has been linked to illicit mining, equating to about 58 million USD.
2. Monetary Gains: The profit analysis highlights campaigns with multi-million-dollar revenues. Notably, the most profitable campaign identified had mined over 163,000 XMR, constituting around 20 million USD. Such findings underscore the financial magnitude of mining campaigns.
3. Campaign Infrastructure: A significant portion of the crypto-mining malware ecosystem relies on underground markets, such as Pay-Per-Install services. The infrastructure supporting this illicit mining often includes advanced techniques, demonstrating a high degree of sophistication in many campaigns.
4. Use of Stock Tools: A notable finding is the prevalent use of legitimate mining software (e.g., xmrig, claymore) by these campaigns, indicating a trend towards using publicly available tools for malicious purposes.
5. Evasion Techniques: The malware employs diverse methodologies to remain undetected, such as domain alias usage to defeat simple blacklisting approaches, idle mining, and reduced CPU usage.

Implications

The implications of these findings are multifaceted. From an economic perspective, the scale of illicit mining activity contributes significantly to cyber-criminal economies and represents a formidable challenge for cybersecurity measures. Practically, this necessitates a reevaluation of current countermeasures, emphasizing the need for enhanced detection techniques within network protocols and systems.

Moreover, the paper urges changes in the Proof-of-Work (PoW) algorithm to potentially deter criminal activities by increasing the economic and operational costs associated with updating botnet software. The longevity and success of certain campaigns also suggest a lack of adequate response from traditional antivirus solutions, pointing to possible gaps in the current landscape of cybersecurity defenses.

Future Directions

The paper paves the way for several avenues of future research. One potential area is exploring alternate PoW modifications or entirely different paradigms in blockchain technology to inhibit the scalability of illicit mining operations. Additionally, developing enhanced machine learning models capable of differentiating between benign and malicious mining software remains a crucial goal to improve detection rates.

In conclusion, the paper calls for a concerted effort from the research community and industry stakeholders to address the complexities of crypto-mining malware, particularly focusing on automated, large-scale detection systems and tighter regulations within cryptocurrency mining pools. The paper is an important contribution to understanding the vast and growing challenge posed by crypto-mining malware.