A proliferation of mining malware here has started to make its presence known, leading to long-term, low-velocity crypto-mining operations becoming a go-to approach for cyber-criminals. In addition, according to threat intel company Recorded Future, North Korea seems to be getting in on the action.
The firm found in an analysis that cyber-criminals are utilizing cryptocurrency mining as a way to maintain a steady income and avoid the inherent risks involved in running a large-scale ransomware campaign. This year, starting in May 2017, Recorded Future observed a rapid spike of mining malware alerts across a spectrum of analyzed sources. In all, it identified 62 different types of mining malware offered for sale across the criminal underground.
Although some variants are sold for as high as $850, the majority of available mining malware today is offered for less than $50.
Mining malware is readily available, affordable, and easy for a novice to deploy; however, indicators exist that provide a means to detect mining activity on a network,” the firm said.
As for North Korea, while it has not identified any North Korea-specific cryptocurrency mining malware, Recorded Future said that North Korean threat actors have experience in altering publicly available tools, managing botnets and procuring cryptocurrency both legally and illegally.
“North Korean threat actors have been conducting cyber operations to generate funds for the Kim regime likely since at least 2015, but appear to have become interested in Bitcoin and cryptocurrency only over the past six months,” Recorded Future said.
Recorded Future analysis discovered in May that users in North Korea had begun to mine Bitcoin. Before then, there had been virtually no activity to Bitcoin-related sites or nodes, or utilizing Bitcoin-specific ports or protocols. Beginning on May 17, that activity increased exponentially, from nothing to hundreds per day.
“The timing of this mining is important, because it began very soon after the May WannaCry ransomware attacks, which the NSA has attributed to North Korea’s intelligence service, the Reconnaissance General Bureau (RGB), as an attempt to raise funds for the Kim regime,” analysts said. “It is not clear who is running the North Korean Bitcoin mining operations; however, given the relatively small number of computers in North Korea coupled with the limited IP space, it is not likely this computationally intensive activity is occurring outside of state control.”
Crypto-mining is more attractive than other approaches, the analysts added. While the potential profitability of fraudulent bank transfers remains at the top of the criminal "food pyramid," to achieve maximum results, threat actors have to work with developers of banking web-injects and automatic money-transferring malware. To receive and launder stolen funds, reliance on a long chain of money-mule handlers is unavoidable, and often funds from completed banking transactions will often be stolen by dishonest intermediaries.
Ransomware, meanwhile, has landed firmly in the sights of law enforcement of late.
Crypto-mining on the other hand can generate a steady income stream without all of the inherent risks.
“In the immediate future, we don't foresee mining malware overtaking ransomware in terms of inflicted infrastructure damages nor monetary gains to its operators,” Recorded Future said. “However, for the first time in the last two years, we are seeing a shift in cyber-criminal mentality and a growing skepticism for widespread ransomware campaigns. As international law enforcement shows exceptional determination, successfully dismantling several high-profile marketplaces and arresting longtime members of the criminal underground, malicious actors are willing to accept less lucrative, but almost risk-free business models.”