Crypto currency is in high demand. Not just for everyday people, but for cyber criminals. Insider threats are considered the most malicious of cyber threats. Insiders already have access to everything. This makes the risk level extremely high. Most companies think of a cyber threat as someone who maliciously attacks the network, steals data, or destroys company resources. Employee negligence also falls into the insider threat category. One area of negligence that puts your company network at risk is downloaded software. The user then installs malicious software on their machine, and then it is able to access its resources. Because this is common with users naïve to cyber security, criminal crypto currency miners have developed backdoors that steal local computer resources and mine cryptocurrency. IT admins should monitor and scrutinize all downloaded software. Many companies simply prevent users from downloading any unauthorized software at all.

Backdoor Snuck into Mediaget Source Code

The latest attack was on a popular BitTorrent client called Mediaget. Sneaking code into the latest build has been done on BitTorrent clients before, namely Transmission. CCleaner was also a victim of a sneak code attack. It was revealed that the latest build affected 2.27 million people. This was a sneaky code injection.

Once an application has malicious injected, it can perform any amount of activity on the infected machine. With Mediaget, the objective wasn’t to install ransomware, steal data or destroy the user’s hard drive. Instead, the attackers drained resources (CPU and memory, to be exact) to mine cryptocurrency. The malicious code was able to infect 400,000 computers in just 12 hours. This is an astonishing rate of success for cybercriminals. Clearly, there are many vulnerable targets for crypto currency miners.

Mediaget Targets Microsoft

After infection, the backdoor code performed more than just crypto mining. Microsoft soon found that its Windows Defender was blocking hundreds of thousands of trojan attacks on computers primarily located in Russia, Turkey, and Ukraine. The team of researchers was able to detect that it was a variant of the original Dofoil malware. If you keep up with the latest malware news, you will recognize the Trojan name. Dofoil was the malware that infected a computer in Maryland that then sent confidential NSA data to a Kaspersky server in Moscow.

To avoid detection, Mediaget uses a stolen digital certificate likely purchased on the black market.  The digital certificate helped avoid detection by some operating systems and antivirus software that would allow the crypto currency miners to install. The trojan could then mine cryptocurrency silently in the background.

How Crypto Currency Miners Affects the Enterprise

While this might seem like an attack that focuses on individuals, company computers (mainly servers) usually have far more resources than a personal one. Attackers focus on corporate computers for their massive amount of resources and computing power. With high-end servers at the attacker’s disposal, they can much more efficiently mine cryptocurrency. The hard part is getting past enterprise defenses, which are usually much more sophisticated and efficient compared to an individual user’s.

The source of infection usually stems from an insider that downloads and installs the malware. Usually, the attacker starts with a phishing email either with an attachment or a link to a site where you can download an executable. An email with an executable attachment is blocked by many email servers, so the attacker uses a document attachment with a malicious macro. The macro runs and downloads the malicious content to the user’s local machine. After it runs the trojan, the machine is at the disposal of the attacker. Don’t open suspicious emails. This is obvious. It should go without saying. But again, don’t open and click on suspicious links.

Enterprise administrators can take several precautions when defending against this type of threat. First, filter incoming email from outside email accounts with executable addresses. Educate users never to open attachments from untrusted sources, and never run macros from attached documents.

Some antivirus applications such as Windows Defender block malicious miner applications. The user can detect a possible miner attack when their computer unexplainably has a spike in CPU and memory usage. The computer then becomes slow and some applications may hang even after a reboot. Prevent crypto currency miners from infecting your computers.

Prevent Crypto Miners from Infecting your PC

Don’t click on suspicious emails. Don’t go to suspicious websites and click suspicious links. DO NOT let strangers near your computers. Malicious actors can use a USB stick to quickly and silently install crypto miners on computers. Don’t leave the computer unlocked and unattended. This makes it even easier for cyber criminals. There are all kinds of horror stories. Most people don’t know how the crypto miners got onto their computers. Prevention and practice are key to successfully warding off these ever-evolving cyber threats.