As the value of cryptocurrency has grown over the course of 2017, so too have the methods used by hackers to get unauthorized mining code running on end-user systems. Security firm Trend Micro last week disclosed the latest method, issuing a warning about a campaign that abuses Facebook Messenger to help deliver and control a cryptocurrency miner to victim systems.
Trend Micro has dubbed the cryptocurrency miner campaign "Digmine," reporting that the attack was active in several regions around the world, including South Korea, Ukraine, Philippines, Thailand and Venezuela.
The Digmine attack uses a Facebook Messenger bot to send a message to unsuspecting users that includes a link to a cryptocurrency miner. The scope of the attack is limited in that it only works against the desktop web browser version of Facebook Messenger running in Google Chrome.
Trend Micro reported its research to Facebook, which has already taken steps to mitigate the risk.
"We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook and in Messenger," Facebook stated. " If we suspect your computer is infected with malware, we will provide you with a free anti-virus scan from our trusted partners. We share tips on how to stay secure and links to these scanners on facebook.com/help."
How Digmine Works
According to Trend Micro's analysis of Digmine, the code was built using the AutoIT scripting language to help automate the delivery of the cryptocurrency miner campaign. Cryptocurrency is created, or "mined," using computing power to discover blocks. There are many different types of cryptocurrency, with Bitcoin not only being the most well-known but also having the highest value.
Digmine doesn't mine Bitcoin, which typically requires GPUs or purpose-built systems. Rather, Trend Micro reported that Digmine is being used to mine the Monero cryptocurrency, which can be done with CPU-powered systems. Among the noteworthy aspects of the Digmine attack is its ability to propagate widely.
"If the user's Facebook account is set to log in automatically, Digmine will manipulate Facebook Messenger in order to send a link to the file to the account's friends," Trend Micro stated in its analysis. "The abuse of Facebook is limited to propagation for now, but it wouldn’t be implausible for attackers to hijack the Facebook account itself down the line."
According to Trend Micro's analysis, Digmine is using a variant of the XMRig open-source Monero miner as its payload to exploit systems.
The idea of using some form of malware to get cryptocurrency mining code onto end-user system is not a new one. Several research reports in 2017 have pointed to the increasing use of software known as Coinhive, which mines Monero without user knowledge via a hidden script on a web page. Symantec reported that browser-based cryptocurrency mining has been around since 2011, though it was the launch of Coinhive in September 2017 that has led to a sharp increase in attacks.
Attackers are also making use of known vulnerabilities to take aim at servers, in a bid to boost unauthorized cryptocurrency mining activities. Network security vendor F5 reported that the Zealot campaign is targeting servers that have not patched for the Apache Struts CVE-2017-5638 flaw that led to the Equifax data breach in order to deploy cryptocurrency mining code.
What Should Users Do?
There are several steps that users can take to limit the risk of unintentionally becoming a cryptocurrency mining host. Keeping all software, including operating systems, browsers and browser extensions, up-to-date is a key step.
In addition, endpoint anti-malware security technologies can be used to help detect and block unwanted cryptocurrency mining code. At the network layer, organizations can make use of network firewalls and intrusion protection system (IPS) technologies to help block connections to mining pools.
"All mining software, whether it is file- or browser-based, must be able to connect to either the cryptocurrency network or a mining pool to exchange data, in other words its proof-of-work," Hon Lau, development manager at Symantec, wrote. "Without this connection, it cannot get the data it needs to generate hashes, rendering it useless."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.