Today, we’re surrounded by an endless supply of devices, all with some amount of computing power. Cryptominer malware harnesses this computing power, coming from either your computer’s central processing unit or the graphical pressing unit. It then uses that power to extract new cryptocurrency (usually Monero, for reasons we’ll discuss below) for the purpose of lining the attacker’s virtual pockets.

What Is Cryptomining?

Cryptomining malware is a type of malware that attackers place on the computers and devices of unwitting users, allowing them to steal computing power in order to surreptitiously mine for cryptocurrency and build efficient cryptomining schemes.

Mining for cryptocurrency isn’t necessarily a bad thing—cryptomining is simply how miners verify and add various forms of cryptocurrency transactions to the blockchain ledger. The blockchain is the public ledger where all cryptocurrency transactions are recorded. There are two reasons miners “mine”: to add new transactions to the blockchain and to release previously unreleased currency.

How Does Cryptomining Work?

In short, cryptominers use their computers’ hardware to run highly complex algorithms that verify each transaction. Then, if that particular computer is the first to reach the correct solution to the algorithm, the cryptominer adds the transaction to the blockchain. There are many miners vying to solve the algorithm first, and the winner is rewarded with a certain value of the cryptocurrency that’s being mined.

Running these algorithms uses up a whole lot of computing power. Back in the early days of Bitcoin, it was technically feasible to use a regular PC to mine for new coins. Today, it takes so much computing power to solve each algorithm that a special computing rig is needed.

Why Attackers Love Monero

But this is not the case with the aforementioned Monero, which hackers prefer due to its enhanced focus on privacy and the fact that fewer resources are needed to mine for it. Bitcoin and other popular cryptocurrencies like Ethereum, Litecoin, and Ripple are public, which means they are traceable. However Monero is a private cryptocurrency, meaning it uses ring signatures to make tracing the attackers very difficult, as well as ring confidential transactions to hide the amounts of the transactions.

The highly anonymized nature of Monero and the fact that no special hardware is needed to mine for it make it the perfect currency to use in cryptominer malware schemes. Noting the huge opportunity here, attackers have made their way from all-too-arduous Bitcoin mining schemes to Monero schemes, even though as a cryptocurrency, Monero was less well-known for many years.

In late 2017, Monero peaked at a trading value of $480. With this surge, attackers went all in, deploying various forms of cryptomining malware that trick users, via phishing campaigns and compromised downloads, into downloading cryptomining scripts. Within just a few months, Monero-mining cryptomalware became one of the most prevalent malware threats around.

After a slump in value affected all cryptocurrency, Monero’s trading price climbed back up in mid-2019, and there was a resurgence in attacks, including at least 13 new or reinstated campaigns. Of course, as Monero’s trading price rises and falls, the occurrence of mining operations also waxes and wanes—but they never totally disappear. Many of today’s campaigns are automated, which means that they can run without intervention from their creators, making attacks a worthwhile pursuit even when trading prices slump.

Cryptomining attacks are designed to go unnoticed because the longer they are there, the more money the attacker makes. The only affects the end user will notice are performance lags and, perhaps, higher electricity bills due to increased CPU usage. Since there’s no threat of data or money loss, many people are completely unaware of the danger—and may even feel apathetic if they do know about it. This total lack of urgency is a huge boon for attackers, who just need a bit of patience while they wait for their dividends to pour in. In fact, according to Kaspersky, just one campaign can net over $30,000 per month. This money is often funneled into more damaging types of attacks.

Other Notable Campaigns

There have been many cryptominer malware variants over the last few years, but not all of them started out inherently malicious. Coinhive, for example, was originally a benign tool designed for websites to mine for coins using their users’ CPUs—with permission—instead of displaying potentially bothersome ads. But what began as an intriguing concept soon became a potent tool for hackers who installed the code on hacked sites to mine Monero from victims without permission. The malicious code was even installed onto the websites of The L.A. Times and BlackBerry, allowing attackers to mine from their visitors’ computers.

Adylkuzz is another well-known cryptomining threat. While Adylkuzz is a fairly typical cryptominer variant, it leverages the MS17-010 exploit. Doesn’t sound familiar? You might know it by its more commonly referenced name, Eternal Blue—the NSA-created exploit used in the notorious Wannacry and NotPetya attacks.

Then there’s Loapi, an Android cryptominer that masquerades as a harmless app on third-party app stores. Loapi is a modular malware, which means that it can uninstall antivirus programs, obtain admin privileges, and more. In its mining mode, it works the components so hard that it makes infected phones overheat, causing the battery to become deformed and rendering the phone unusable.

Mining with Botnets

A relatively new twist on cryptomining is the use of botnets. A botnet is a group of connected computers that automatically perform repetitive tasks for rogue purposes. Botnet malware scans systems and devices looking for unpatched vulnerabilities. When it finds one, the device becomes part of a botnet army under the control of the attacker. This is a boon for cryptomining authors because it allows them to use the computing power of multiple devices to run their mining operations.

Botnets are especially effective when targeting IoT vulnerabilities. Although IoT devices on their own don’t have a significant amount of computing power, when they’re enlisted into a botnet, they all work together, allowing these little devices to become a mighty force. And since these devices are always on, are hardly monitored, and typically use default passwords, they are especially easy to take over.

To illustrate this point, let’s look at the next-gen variants of Mirai, the IoT botnet that took down much of the Internet on the U.S. East Coast in October 2016. These newer editions are equipped with cryptomining capabilities—the earliest being ELF/Linux Mirai, which forced infected IoT devices to mine for Bitcoin and Ethereum. This module was only functional for about a week and didn’t appear to be very successful, but researchers saw it as a sign of things to come.

They were right. In December 2017, the next-gen Mirai variant, dubbed Satori, was discovered exploiting vulnerabilities in IoT device firmware to mine for Ethereum. In its first few hours, it managed to infect over 100,000 home routers and it appears to be able to mine about $160 every 24 hours.

Then there is Bashlight IoT malware, which has been used in DDoS attacks since 2014. Early this year, it was updated with cryptomining capabilities and began targeting Belkin’s WeMo home automation devices. The malware checks if devices are enabled with WeMo’s Universal Plug and Play (UPnP) API, and, if so, enlists them into its botnet.

Malware authors have been gradually increasing the level of sophistication in their IoT botnet cryptomining attacks, and Smominru is proof of this. This Monero-mining botnet threat has infected over 90,000 vulnerable Windows devices and is also capable of stealing data. It has netted over a million dollars for its creators thus far and appears to still be active.

How to Prevent Cryptomining

Cryptomining isn’t something to be passive about. While it may not come with the clear and present danger that ransomware and data-stealing trojans do, it should still hold a top spot on your list of security concerns.

To ensure your computers and assorted devices remain secure:

  • Make sure to patch your applications and systems;
  • Install anti-cryptomining extensions such as minerBlock and No Coin;
  • Change all default passwords in IoT devices;
  • Install an autonomous and robust next-gen anti-virus solution;
  • Watch out for phishing emails which may deliver cryptomining payloads.

Cynet 360 helps organizations protect their networks from cryptomining malware threats. Because it analyzes all files, identifies any malicious attributes, and prevents the execution of anything that’s found to be malicious, cryptominers don’t have the opportunity to run and put undue pressure on your critical resources.


It may be easy to disregard the threat of cryptomining malware, but this is one type of attack that’s still in its early stages, and attackers are still exploring the many ways it can be utilized and deployed. While the value of cryptocurrencies like Monero, Bitcoin, and Ethereum may skyrocket and then come crashing down, malicious cryptomining has proven its mettle as an unrelenting and highly lucrative security threat.