Mining Malware Attacks Reduced by 50% during First Half of 2019

New versions of CoinHive malicious software with added functionalities have emerged. Ransomware remains the most used malware by cybercriminals.

Ransomware and mining malware have been the most commonly used methods by cybercriminals against organizations in 2019, indicates the Cyber ​​Attack Trends report by the company Check Point Research. However, it should be noted that mining malware attacks were reduced in the first half of the year, compared to the first half of 2018.

According to the report, mining malware attacks were reduced by 50% during the first half of this year. Check Point Research records that 21% of organizations worldwide were affected by mining malware attacks compared to 42% during their peak in 2018. This decrease is connected to the closure of the CoinHive mining platform in March 2019.

With data extracted from the Check Point ThreatCloud global cyber ​​threat Map between January and June 2019, combined with the primary research conducted by the company’s cybersecurity experts, the report described trends observed in malware categories: ransomware, mining software, botnet, bank Trojans, data breaches and mobile threats, in descending order by frequency of use.

Mining malware remained prevalent in the threat landscape of the first half of 2019. This occurred despite the closure of the notable CoinHive mining service in March, which led to a decline in the popularity of mining malware among threat actors. As a consequence, and to continue to prevail in 2019, threat actors have been adopting a new approach by aiming at more rewarding targets than consumer PCs and by designing more robust operations.

Check Point Research

The report states that corporations, factories, powerful servers, and even resources in the cloud, can be found among the new victims.

In the global analysis of the main malicious programs during 2019, miners continue to dominate the mentioned malware classifications, maintaining their place in the top global and regional ranges.

Mining Malware Decreases but It Diversifies

Regarding the descriptions of the different mining malware modalities, Check Point Research highlights the presence of AuthedMine, a version of the CoinHive JavaScript miner. Similarly to CoinHive, AuthedMine is web-based malware used to perform online mining of the cryptocurrency Monero, when a user visits a web page. However, unlike CoinHive, AuthedMine is designed to require the explicit consent of the website user, before running the mining script.

In the second place is CryptoLoot, JavaScript-based malware designed to perform online mining of the Monero cryptocurrency, without the user’s approval, when visiting a certain web page. The implanted software uses the computational resources of end users’ machines to extract coins, which affects their performance.

The third place is occupied by DarkGate, multifunction malware active since December 2017 that combines ransomware, credential theft, RAT and crypto-mining capabilities. The malicious software mainly aims at the Windows operating system, and it employs a variety of evasion techniques.

On the other hand is WannaMine, which is a sophisticated Monero crypto-mining worm that spreads when the EternalBlue exploit explodes. WannaMine implements a propagation mechanism and persistence techniques by taking advantage of permanent event subscriptions from Windows Management Instrumentation (WMI).

Finally, the XMRig, which is a kind of open source CPU mining software used for the mining process of the cryptocurrency Monero, and was first seen in May in 2017.

By Willmen Blanco