Hackers Are "Reprofiling" Their DDoS Botnets To Spread Cryptocurrency Mining Malware

There is a shift in trend, warned cybersecurity unit Kaspersky Labs.

Previously, hackers have managed to control massive networks of botnets consisting of compromised computers and devices to launch distributed denial-of-service (DDoS) to targeted victims.

This time, they are "reprofiling" their DDoS botnets to spread cryptocurrency mining malware as widely as possible.

Researchers from Kaspersky Labs found that hackers are somehow shifted their strategies, by reprogramming their botnet armies, resulting in a decline on DDoS attacks in the third-quarter 2018. The hackers deem cryptojacking to be more lucrative, and also less competitive.

While the number of unique users attacked by miners has certainly fallen earlier in 2018, September actually saw an increase for the first time in months.

Seems like the decreasing price of cryptocurrency, most notably Bitcoin, hasn't really correlated with the popularity of those digital coins.

Click injection
In September 2018, there was an increase of affected users by cryptocurrency miners. (Source: Kaspersky Labs)

"This was induced not only by the high popularity of cryptocurrencies, but also the high competition in the 'DDoS market,'" wrote the analysts. "[This] made the attacks less expensive for clients, but not for the botnetters themselves, who still have to cope with more than a few less-than-legal ‘organizational issues.'"

One example provided was the Yoyo botnet.

"DDoS activity of the Yoyo botnet dropped dramatically, although there is no data about it being dismantled," said the researchers.

The researchers also explained that cryptojacking is more in demand because it's a lot safer for those hackers, due to the fact that it's practically impossible for victims to realize they're actively mining cryptocurrency. This is a contrast to DDoS attack which aims to put an entire network down, alerting everyone in vicinity.

For this reason, cryptojacking can greatly reduce the chances of the attackers coming into contact with cyberpolice.

"Only in the case of miners, it might be quite a while before the user notices that 70–80% of their CPU or graphics card power is being used to generate virtual coins."
Top 10 countries by share of miner attacks - Kaspersky
Top 10 countries by share of miner attacks, January-October 2018 (includes only countries with more than 500,000 Kaspersky Lab clients)

The researchers said that Monero is still the most dominant cryptocurrency among illegally mined coins. It's a convenience since Monero can be generated from within desktop browsers using the standard computer processors found on common laptops.

"This is due to its anonymous algorithm, relatively high market value, and ease of sale, since it is accepted by most major cryptocurrency exchanges," explained Kaspersky Labs. "For botnets mining this coin illegally, it is important that CPU resources can be utilized."

It was speculated earlier that $250,000 worth of Monero was being mined every month through internet browsers, using what supposed to be a neutral cryptocurrency mining script CoinHive.

The conclusion based on data Kaspersky Labs obtained from various sources is that legislative control over cryptocurrencies has little impact on the spread of hidden mining. For example, in Algeria and Vietnam cryptocurrencies are either prohibited or severely restricted under domestic law. But still, Vietnam ranks the third in the ranking of leading countries by number of miner attacks, and Algeria in the sixth position.

"Meanwhile, Iran, which is presently drafting legislation to govern cryptocurrency and developing plans to issue its own 'coins,' is in seventh place."

On the other hand, internet users in the U.S. are the least affected by cryptojacking in 2018, suffering just 1.33 percent of the total number of attacks, followed by the Switzerland (1.56 percent) and the the UK (1.66 percent).

This comes to one conclusion by the Kaspersky Labs: the more freely unlicensed software is distributed in a country, the more malicious cryptocurrency miners are found. This conclusion is in line with other statistics from Kaspersky Labs, which showed that most malicious cryptocurrency miners infect machines through pirated and unlicensed software.

Published: 
29/11/2018