What Is Cryptojacking?

How Does Cryptojacking Work?

Cryptojacking uses malware or malicious code to commandeer the processing power of victims’ devices (laptops, desktop computers, smartphones, etc.) for use in cryptocurrency mining.

Let’s look at how a cryptojacking attack progresses.

1. Delivery/Infection: Attackers most often get cryptomining code running on a victim's device, through social engineering scams such as phishing, malicious webpages, and so on. Websites and cloud services compromised with cryptomining code can silently siphon users’ computing power while they remain connected.
2. Execution: Cryptomining scripts run on a compromised device, using its CPU or GPU to solve difficult cryptographic puzzles. The device often becomes part of a botnet that combines the computational power of many infected endpoints to give the miner an edge in the blockchain race.
3. Profit: The miner whose computational efforts (legitimately their own or not) solve the cryptographic puzzle first receives the “block reward,” an allotment of cryptocurrency sent to their digital wallet. Victims of cryptojacking, meanwhile, get none of the reward—and end up indirectly paying for it.

Unlike ransomware, which calls attention to itself as a key step of an attack, cryptojacking software runs as quietly as possible to increase the lifespan and profitability of the attack. It may use encryption and anti-analysis techniques to evade basic cyberthreat detection solutions, throttle or pause its CPU usage depending on user activity, and more to avoid arousing suspicion.

What Are the Sources of Cryptojacking Malware?

Cryptojacking malware is much like other types of malware in terms of where it can appear in the wild. Most of the time, it can be found in connection with:

• Compromised websites, plugins, or browser extensions injected with malicious code
• Browser-based or “drive-by” mining on websites that aren’t otherwise inherently malicious
• Malicious downloads disguised as benign software, especially free apps or torrents
• Phishing emails containing infected attachments or leading to malicious websites
• Malicious ads containing cryptojacking scripts that run when the ad is clicked or viewed

What Does Cryptojacking Malware Mean for Your Business?

At an organizational level, the daily cost of cryptojacking may not raise many eyebrows. However, it can quickly add up to hundreds or even thousands of dollars per month, to say nothing of the potential for:

• Degraded system performance, which can frustrate and slow down your users, impacting productivity
• Higher energy bills and usage, which can hurt your bottom line and work against environmental goals
• Damage to computing hardware, which can create unforeseen costs in maintenance and replacement

Real-World Cryptojacking Examples

In spite of the risks, no cryptojacking attack has reached the global notoriety of supply chain attacks and ransomware like WannaCry or the attack on SolarWinds. Unlike those attacks, the quiet, unobtrusive way cryptojacking operates is what makes it dangerous. Let’s look at a few examples.

Smominru Botnet
Since 2017, Smominru has infected hundreds of thousands of Microsoft Windows systems worldwide to mine Monero cryptocurrency. It spreads by brute-forcing RDP credentials and exploiting software vulnerabilities, and can even execute ransomware, trojans, and more on compromised systems.

The Pirate Bay
In 2018, P2P file-sharing site The Pirate Bay was found to be running JavaScript code created by the now-defunct cryptomining service Coinhive. The cryptojacking script executed without users’ consent—and with no way to opt out—while they browsed the site, using their compute power to mine Monero.

Graboid
First discovered in 2019, Graboid is a worm that exploits unsecured (i.e., exposed to the internet) Docker containers. It spreads from compromised hosts to other containers in their networks, where it hijacks the resources of its infected systems to mine Monero.

Open Source Image Libraries
Beginning around 2021, researchers saw a spike in the number of cryptojacking images in open source repositories like Docker Hub. As of late 2022, the most common feature among malicious images was cryptojacking code (Google Cloud Cybersecurity Action Team, 2023).

Signs You Could Be a Victim of Cryptojacking

Cryptojacking attacks keep a low profile to prolong their unauthorized use of your system, but if you know what to look for, you might be able to identify their activities before the cost to you or your organization gets too high. During mining operations, might notice:

• Performance issues such as slowdown, freezing, crashing, or higher operating temperatures
• High CPU/GPU utilization even with very little running (check Windows Task Manager or macOS Activity Monitor)
• High or spiking energy usage with no apparent legitimate cause
• Unusual network traffic such as frequent outbound communications or large data transfers to unfamiliar locations
• Unfamiliar or suspicious processes hiding among a system’s legitimate background processes

How Can You Detect and Prevent Cryptojacking?

Beyond the common warning signs, you can put some simple technologies and strategies in place to help prevent cryptojacking attacks from dwelling in your environment—or stop them before they even take hold.

• Educate users and teams about the warning signs. Users may not report issues like poor performance if they don’t understand what it could indicate. For IT, help desk, and NetOps staff, evidence of unauthorized mining processes is an important thing to factor in while investigating and responding to reports.
• Find hidden evidence with proactive threat hunting. The clearest signs of cryptojacking activity might not play out where your users can see them. Skilled security personnel or dedicated threat hunters can work to identify and investigate behavioral anomalies and other subtle indicators of cryptojacking compromise.
• Use effective tools to monitor and block cryptomining traffic. The best way to stop cryptojacking is to keep it from starting in the first place. To do that, you need a solution that ensures every packet from every user, on or off-network, gets fully inspected from start to finish, with unlimited capacity to inspect TLS/SSL. Zscaler can help.

Zscaler Cryptojacking Protection

Zscaler Internet Access™ (ZIA™), a core component of the cloud native Zscaler Zero Trust Exchange, provides always-on protection against cryptojacking—as well as ransomware, zero-day threats, and unknown malware—as part of its AI-powered Advanced Threat Protection suite.

Pre-built policy in ZIA, active from the moment of deployment, lets you automatically block cryptomining traffic and generate optional alerts. ZIA can detect cryptomining traffic as it passes through the Zero Trust Exchange, even if it’s encrypted.

ZIA delivers:

• Full inline prevention. Inline proxy architecture is the only reliable way to quarantine and block suspicious content and attacks at enterprise scale.
• Inline sandbox and ML. Zscaler Sandbox uses integrated ML for advanced analysis to quickly stop new and evasive file-based attacks.
• Always-on SSL inspection. Distributed across a global platform, you get infinite SSL inspection that follows users, on the network and off.
• The Zscaler cloud effect. We leverage threat data from the world’s largest security cloud—which processes over 300B transactions per day and dozens of external threat feeds—to share threat protections worldwide in real time.