Because of its potential to earn hackers millions in a steady stream of cash, Kaspersky Labs has deemed crypto-jacking the new ransomware in a report that arrived just as researchers spotted two new types of malware targeting the growing popularity of cryptocurrencies.
Kaspersky researchers said they were gearing up for a quarterly analysis of ransomware when they found there wasn’t much to analyze due to the rise of crypto-jacking.
“This discovery led us to speculate whether the ransomware business model was starting to crack,” researchers wrote in the report. “Was there a more lucrative alternative for cybercriminals looking to make money? … Our guess was that criminals were starting to turn their backs on ransomware to focus on cryptocurrency mining instead.”
With near-perfect timing, mere days later security researchers found themselves tracking two new types of cryptocurrency malware–OSX Dummy, a MacOS malware targeting cryptocurrency investors using Slack and Dischord chat programs, and a new form of “Clipboard Hijacker” malware with the ability to scan 2.3 million cryptocurrency addresses to switch legitimate destinations with addresses the attackers control.
‘Dumb’ malware can take over system
Security researcher Remco Verhoef first spotted multiple attacks of the OSX Dummy malware that can allow for remote arbitrary code execution last week and released his findings on Friday to the SANS InfoSec Handlers Diary Blog.
“We’ve seen multiple MacOS malware attacks, originating within crypto-related Slack or Discord chats groups by impersonating admins or key people,” Verhoef wrote in his post. “Small snippets are being shared, resulting in downloading and executing a malicious binary.”
Fortunately for those being targeted, the malware is highly unsophisticated–one the reasons for its name, along with the fact that it saves a user’s password to a file called “dumpdummy”–with attackers “asking users to infect themselves,” according to a post on Mac security specialist Patrick Wardle’s Objective-See blog.
It was actually Wardle, not Verhoef, who dubbed the malware OSX Dummy because, among other things, “the infection method is dumb, the massive size of the binary is dumb, the persistence mechanism is lame (and thus also dumb)” and “the capabilities are rather limited (and thus rather dumb),” he wrote.
However, OSX Dummy can result in an attacker taking control of a person’s system if it’s successful. “If users fall for this (rather lame social engineering trick), a rather massive machO binary will be downloaded and executed,” Wardle wrote.
Hackers bolster crypto-jacking tools
If OSX Dummy poses a rather insignificant threat to cryptocurrency investors, they seem to have a far bigger enemy in a category of malware called Cryptocurrency Clipboard Hijackers, which actually are a very stealthy way for hackers to mine digital currency from unsuspecting victims.
This type of malware targets the method cryptocurrency traders have been using to cut and paste destination addresses from one application into whatever program they’re using to send the currency. The addresses are usually pretty lengthy and complex, so it’s easier to do this than to remember them or write them down and retype them.
The problem is, bad actors are on to this and have begun to exploit it using malware like Clipboard Hijacker, which can scan a computer’s clipboard for those copied addresses and swaps legitimate addresses for ones owned by attackers. This results in currency ending up in the hands of cybercriminals rather than the legitimate traders to whom it was supposed to go.
While this type of malware has been around for some time, previous samples tracked by researchers have monitored for about 400,000 to 600,000 cryptocurrency addresses. A new sample identified by BleepingComputer last week, however, monitors for more than 2.3 million addresses, showing crypto-jackers seriously upping their game to re-route cryptocurrency their way.
The finding suggests that cryptocurrency hijackers overall are bolstering their efforts to exploit the growing digital currency trend, phasing out other attempts to pilfer money through malware in the process.
Ransomware out, crypto-jacking in
Indeed, that’s exactly how Kaspersky sees it. In its report, researchers noted that they saw a 30 percent year-over-year drop in ransomware from 2016 to 2017, showing that the authors of this type of malware appear to be losing interest.
The rise in popularity of cryptocurrency–which in fact often was the currency of choice in ransomware attacks–was not something hackers could ignore, thus its new status as the reason for ransomware’s imminent extinction, according to Kaspersky.
“Miners are a discreet and modest way to make money by exploiting users, and are a far cry from the noisy and very noticeable encryption of victim devices,” researchers wrote. “Instead of the large one-off payout achieved with ransomware, cybercriminals employing mining as a tactic can benefit from an inconspicuous, stable and continuous flow of funds.”
The findings of the report support these claims. Researchers found almost a 50 percent rise in crypto-mining year over year from 2016 to 2017, from 1.9 million users encountering miners between 2016 and 2017 to 2.7 million between 2017 and 2018.
“The true spike in mining started in summer 2016, and the increase became more and more steady, resulting in over 400,000 hits a month, while fluctuating with cryptocurrency prices,” researchers wrote. “Monero, for instance, increased its price several times in approximately the same period of time. A year later, the situation remained the same, but on steroids, with the number of hits exceeding not 400,000 but 600,000 per month.”
Moreover, the share of miners detected from both the overall number of threats detected and the overall risk-tool detections also climbed steadily between 2016 and 2017, researchers found. The former rose from about 3 percent in 2016-2017 to more than 4 percent in 2017-2018, and the latter from more than 5 percent to 8 percent in the same year-over-year period.