Cryptocurrency and its role in malware

Posted date 12/04/2018
José Manuel Roviralta Puente (INCIBE)
Criptodivisas: su papel en el malware


As technology develops, all technology-related aspects also develop. Malicious techniques are always the fastest to adjust to new technologies and in fact, they have already jumped in the bandwagon of exploiting cryptocurrency.

In general, in a cryptocurrency network, the amount of available coins is fixed. In global terms, there is always the same amount of coins and their value is established according to the principle of supply and demand.

It has been stated that the goal behind the creation of these new currencies is to decentralize economic transactions, that is, to achieve a model where such transactions do not have to pass through a third party (a banking or other institution) but only need to be validated by other network nodes.

Bitcoin, Ethereum, Monero, Litecoin are the most widely known cryptocurrencies.  All these share the same concept, but their differences made them more or less attractive.

Monero, the malware developers preferred cryptocurrency

Monero is a cryptocurrency whose priority is privacy, and, to achieve this goal, its network nodes ignore who are the users that take part in a transaction and the amount of cryptocoins being transferred. It also advocates a more egalitarian mining.

The anonymous nature of transactions with this cryptocurrency is achieved by means of implementing a variant of the CryptoNote encryption protocol, the CryptoNight PoW hash function. Both implement ring signature functions that allow burying the issuer’s identity in data corresponding to other transactions; the receiver’s identity in stealth addresses from other transactions; and the transferred amount in the confidential transactions enabled by the ring.  Therefore, the issuer, the receiver and the amount are buried among other addresses, hindering all tracking efforts for all elements of the transaction. Only the issuer and the receiver know their identities and the amount transferred.

The features of these functions obfuscate blockchain. The anonymous nature of Monero makes it a fungible or exchangeable currency, where any sum may be replaced by another sum of the same value. This prevents portfolio blacklisting.

Another feature of this cryptocurrency is that it was designed to hinder calculations of cryptocoin mining application-specific integrated circuits (ASIC). Therefore, Monero mining is more egalitarian for conventional processors and graphics cards.

These characteristics have made Monero one of the most used currencies by malware developers, since it allows for anonymity and mining is designed to be carried out in the most common devices, such as computers, laptops, servers, smartphones and tablets.


Mining costs

To make it simple, creating new coins (the process known as mining) consists in calculating the number of hashes used to be added to the blockchain.

Not all generated hashes are valid: they must be built in a certain manner. For example, for Bitcoin, they must end in a certain number of zeroes. This makes finding a valid hash a complex process, increasingly complex over time, in fact, since the entry parameters become even larger and this means longer calculation times for the hash function and less possibilities of finding a valid hash to be added to the blockchain.

Therefore, mining costs become increasingly high both in terms of high-end devices and of energy costs.

For example, a domestic computer with a medium-range processor and graphic card with a maximum consumption of 400W/h including all internal and external components (screen, peripheral devices, computer, loudspeakers) used for round-the-clock mining at a rate of 0.13€ KW/hour has a monthly cost of 18.20 and an annual cost of 221€. This does not include the cost of the computer devices themselves and the wear and tear associated to the process, which keeps the devices under constant high level of stress.

When an attacker executes the mining code in hardware which are not their own, they obtain a direct benefit, since they do not need to invest in hardware or maintenance or pay for the power used.

Real Cases

Currently, we are detecting more and more cases of malware which use cryptocurrency to obtain direct benefits, although there are still cases where cryptocoins are simply used as payment in a case of extortion.


This mining method is becoming increasingly popular. It consists in a mining JavaScript injected in a webpage so that when a user accesses it from their browser, the JavaScript uses their hardware resources for cryptocurrency mining without their consent.

A rather well-known case is the Browsealoud plugin, which has affected even governmental pages. This plugin was used to make webpages more accessible for visually challenged persons (such as those suffering from colour-blindness or dyslexia). In the cases detected, Browsealoud's source code Monero's mining script Coinhive.

Other pages open a new browser window which is set by the mining script to be hidden behind the clock of the device's taskbar, so that the script is still executed -and continues mining surreptitiously- even when the user thinks that they have closed the page or the browser.

Attacks to critical infrastructures.

Also Industrial Control Systems (ICS) have been affected by this new wave of malware designed for cryptocurrency mining. Radiflow, a security company, detected that a water purification plant systems had been compromised in such a way that the industrial control system used, SCADA, devoted its processing resources for cryptocurrency mining. This could be detected thanks to external HTTP requests used by the script.

Monero as a payment currency

Monero is also being used as payment currency in ransomware cases. The creators of Kirk, a Star Trek-themed ransomware, require the ransom to be paid in Monero. The change of cryptocurrency with respect to the more traditional payment in bitcoins is explained by the fact that Monero allows attackers to make anonymous transfers.

Old acquaintances that have adapted to the new changes. WannaMine

So you thought you would not near from WannaCry anymore? Wrong. Recently, a variant called WannaMine has been detected. This exploits the same vulnerability than its twin, the exploit EternalBlue. Although the procedure is the same, the purpose is different. Rather than extorting the victim by encrypting their data and asking for a ransom, his variant quietly installs a malware that devotes the relevant device's resources to cryptocurrency mining. Thus, the victim unknowingly becomes part of the botnet and infects related devices. Currently more than 500,000 devices are affected by this malware.