Cryptocurrency/Crypto-mining News and Resources

[For the moment, this mirrors a resource page on the AVIEN blog which it may eventually replace. – DH, 8th March 2018]

People keep telling me that this is the new ransomware… For the moment, I’m just going to flag things as they come up: maybe with commentary and better organization later. Items will be added with the latest items at the top.

[March 18th 2018]

[March 13th 2018]

[March 12th 2018]

(1) Paul Ducklin for Sophos: Cryptomining versus cryptojacking – what’s the difference?

(2) Bleeping Computer tells us: Microsoft Stops Malware Campaign That Tried to Infect 400,000 Users in 12 Hours
ZDNet is even more enthusiastic: Windows security: Microsoft fights massive cryptocoin miner malware outbreak – “Microsoft has blocked a malware outbreak that could have earned big bucks for one criminal group.”
Other players in the security industry were more restrained (as per the entry for March 8th below), notably myself, Sean Sullivan and Luis Corrons, quoted in an article by Kevin Townsend: Microsoft Detects Massive Dofoil Attack. Kevin didn’t quote me in full, so here’s (most of) what I said:

I don’t read that article as actually saying that Defender detected that particular campaign and no-one else did/does (which isn’t the case: note that some of the hashes in the figures show a VirusTotal score), or claiming that Microsoft actually disrupted the campaign, or even that it was the first product to detect this particular iteration of Dofoil or the Coinminer it’s delivering. If there’s a suggestion that detection by other products was tested, I missed it.

If it gives the impression that this detection ‘proves’ that all such attacks will be detected by Defender, well, that’s what AV products (often) do, but the phrase ‘hostage to fortune’ springs to mind. But the way I read it, Windows Defender did a good job of detecting this particular campaign, and deserve credit for it. As does any company that offers prompt/proactive detection of a sophisticated campaign, and there are several that do. 

Do the Defender team have an unfair advantage? Well, I guess they have direct access to the OS developers, but spotting behavioural anomalies is bread-and-butter lab work, and incorporating such detection into cloud protection and machine learning is standard stuff. And I’m sure most labs value good knowledge of OS processes. 

[March 8th 2018]

Microsoft: Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign. Rather self-congratulatory – sounds as if Microsoft stopped a campaign all by itself and Windows Defender is The Answer to crypto-mining and world hunger, but still…

[March 7th 2018]

[March 5th 2018]

[March 1st 2018]

[28th February 2018]

[27th February 2018]

[24th February 2018]

CNBC: Secretive Chinese bitcoin mining company may have made as much money as Nvidia last year

[23rd February 2018]

[22nd February 2018]

[18th February 2018]

[16th February 2018] FireEye: CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of Techniques Used Post-Exploitation and Pre-Mining

Bleeping Computer: Using the Chrome Task Manager to Find In-Browser Miners

[15th February 2018]: Help Net Security summarizes commentary from Check Point. Cryptomining malware continues to drain enterprise CPU power.

“In January, crypto-mining malware continued to be the most prevalent with Coinhive retaining its most wanted spot impacting 23% of organizations, followed by Fireball in second and Rig Exploit Kit in third impacting 17% of organizations.”

And here’s Check Point’s blog article: January’s Most Wanted Malware: Cryptomining Malware Continues to Cripple Enterprise CPU Power

“Check Point researchers also discovered three different variants of cryptomining malware in its top 10 most prevalent ranking, with Coinhive ranking first, impacting more than one-in-five organizations.”

Help Net Security/Radiflow: When crypto-mining malware hits a SCADA network

[14th February 2018]

Two links from Sophos:

Catalin Cimpanu for Bleeping Computer: Bitmessage Zero-Day Used in Attacks That Steal Bitcoin Wallet Files

Graham Cluley: Salon website gives you a choice: turn off your ad blocker or let us mine cryptocurrencies – IT WANTS TO USE YOUR COMPUTER’S RESOURCES TO MAKE THEM MONEY.
“Yup, Salon is giving you a choice. If you don’t want to disable your ad blocker, maybe you’ll feel comfortable letting it run code from Coinhive which will gobble up your computer’s resources to mine some Monero cryptocurrency.”

Browsealoud compromise (injection of Coinhive): partial but lengthy list of affected sites.

12th February 2018. Bleeping Computer: U.S. & UK Govt Sites Injected With Miners After Popular Script Was Hacked
“Thousands of sites were injected with a in-browser Monero miner today after a popular accessibility script was compromised. With 4,275 sites affected, this included government websites such as,, &”

ESET: US and UK government websites hijacked to mine cryptocurrency on visitors’ machines

“If undetected by a user’s security solution or content- or ad-blocker, the script ran in the background unbeknown to the user until the webpage was closed. A number of the affected websites, including that of the ICO, were also offline for hours in the aftermath of the attack.”

[9th February 2018] BBC: Russian nuclear scientists arrested for ‘Bitcoin mining plot’
“Russian security officers have arrested several scientists working at a top-secret Russian nuclear warhead facility for allegedly mining crypto-currencies.”

[8th February 2018] Zeljka Zorz for Help Net: When crypto-mining malware hits a SCADA network
“Industrial cybersecurity vendor Radiflow […] has recently discovered Monero-mining malware on five servers of a water utility company located in Europe. These servers included […] the control server of the physical processes of the company.