Interpol Collaborates With Cybersecurity Firm to Tackle Cryptojacking

Published at: Jan. 9, 2020

Interpol has collaborated with cybersecurity firm Trend Micro to reduce cryptojacking affecting MikroTik routers across South-East Asia, according to a Jan. 8 press release. Though the collaboration reduced the number of affected devices by 78 percent, this is unlikely to have made a significant impact on mining hashrate.

Cryptojacking is a malicious practice where attackers infect common devices with crypto mining malware, utilizing the victim’s resources to mine cryptocurrency. Cybersecurity firm Trend Micro collaborated with Interpol’s Global Complex for Innovation, based in Singapore, to sanitize MikroTik routers infected with mining malware. 

As part of the “Operation Goldfish Alpha,” Trend Micro developed a “Cryptojacking Mitigation and Prevention” guidance document, detailing how a vulnerability affecting a common brand of home and enterprise routers led to thousands of devices being infected across the ASEAN region. The document also suggested how victims could use Trend Micro software to detect and eliminate the malware.

In the five months following the definition of the document in June 2019, experts from national Computer Emergency Response Teams and police helped identify and restore over 20,000 affected routers, reducing the number of infected devices in the region by 78 percent.

How much money did the hackers make?

The vulnerability affected all MikroTik routers that feature its proprietary RouterOS. The routers include a wide range of ARM-based CPUs, ranging from single-core 600 megahertz to 72 cores 1 gigahertz processors.

Trend Micro reported that attackers mined Monero (XMR) with the affected devices, which is among the only coins that can be reasonably mined with common CPUs — especially after the RandomX upgrade further shifted the focus to central processing units.

Though hashrate figures vary wildly between different types of ARM processors, benchmarks offered by the Monero community allow to estimate an average 300 hashes per second for some common ARM processors, commonly found in smartphones.

With 20,000 devices and at Jan. 9 network hashrate figures, the attackers would currently make an estimated $13,000 per month from infected routers, according to the CryptoCompare calculator. However, estimates put the number of affected devices globally at 200,000 since 2018, well before the introduction of RandomX. Before the upgrade, hashrates for ARM processors were much lower — around 10 hashes per second. 

Mining profitability has varied significantly in the last two years, but the monthly revenue from the cryptojacking attack is likely to have amounted to between five and six figures.

It is unclear whether the mining software could be updated through the various hard forks that occurred since. Even if the malware was still active in late 2019, its profitability was low compared to the hundreds of millions of dollars lost to exchange hacks during the entire year.

Tags
Related Posts
French Police Shut Down 850,000 Computer Botnet Used for Cryptojacking
French police have shut down a massive botnet that has been used for Monero (XMR) cryptojacking. Cryptojacking backed by “massive firepower” BBC News reported the development on Aug. 27. According to the police, the botnet was distributed by sending virus-laden emails with offers for erotic pictures or fast cash, and further propogated through infected USB drives. The virus, called Retadup, ultimately infected 850,000 computers in over 100 countries — thus creating a massive botnet. The chief of C3N — the French police’s cybercrime unit — Jean-Dominique Nollet spoke on France Inter radio about the power of a botnet this size, …
United States / Aug. 28, 2019
Researchers Uncover Threat of ‘Unusual’ Virtual Machine Crypto Mining
Cybersecurity firm ESET has detected what it describes as an unusual and persistent cryocurrency miner distributed for macOS and Windows since August 2018. The news was revealed in a report from ESET Research published on June 20. According to ESET, the new malware, dubbed “LoudMiner,” uses virtualization software — VirtualBox on Windows and QEMU on macOS — to mine crypto on a Tiny Core Linux virtual machine, thus having the potential to infect computers across multiple operating systems. The miner itself reportedly uses XMRig — an open-source software used for mining privacy-focused altcoin monero (XMR) — and a mining pool, …
Altcoin / June 24, 2019
Trend Micro Detects Major Uptick in New Strain of XMR Malware Targeting China-Based Systems
Cybersecurity firm Trend Micro has detected a major uptick in monero (XMR) cryptojacking malware targeting China-based systems this spring. The news was revealed in an official Trend Micro announcement on June 5. As previously reported, cryptojacking is an industry term for stealth crypto mining attacks that work by installing malware that uses a computer’s processing power to mine for cryptocurrencies without the owner’s consent or knowledge. The XMR-focused malware — which wields malicious PowerShell scripts for illicit mining activities on Microsoft-based systems — reportedly surged against Chinese targets in mid-May. Hitting a peak on May 22, the wave of cryptojacking …
Altcoin / June 6, 2019
Sophisticated Mining Botnet Identified After 2 Years
Cybersecurity firm, Guardicore Labs, revealed the identification of a malicious crypto-mining botnet that has been operating for nearly two years on April 1. The threat actor, dubbed ‘Vollgar’ based on its mining of the little-known altcoin, Vollar (VSD), targets Windows machines running MS-SQL servers — of which Guardicore estimates there are just 500,000 in existence worldwide. However, despite their scarcity, MS-SQL servers offer sizable processing power in addition to typically storing valuable information such as usernames, passwords, and credit card details. Sophisticated crypto-mining malware network identified Once a server is infected, Vollgar “diligently and thoroughly kills other threat actors’ processes,” …
Altcoin / April 5, 2020
'Infect and Collect': Cryptojacking Up 629% in Q1 2018, Says McAfee Report
Cryptojacking malware activity rose a staggering 629 percent in the first quarter of 2018, according to a new report published by cyber security firm McAfee Labs June 27. Cryptojacking is the practice of using a computer’s processing power to mine for cryptocurrencies without the owner’s consent or knowledge. The McAfee Labs Threats Report for June detected over 2.9 million known samples of coin miner malware in Q1 2018 – a 629 percent rise from around 400,000 samples the previous quarter. As per the report: “This suggests that cybercriminals are warming to the prospect of monetizing infections of user systems without …
Altcoin / June 29, 2018