Collection of Malicious Crypto-Mining fact of the day

During November, I’ve run a short Malicious Crypto-Mining fact of the day to help promote awareness against this rising threat. Here are the facts collected into a single blog post.

Fact one:

Malicious Crypto-Mining fact of the day:
Trying to hide from suspicious technical victims, crypto-miners often self-terminate when they spot IT tools such as Task Manager and Process Explorer.

— Omri Moyal (@GelosSnake) November 20, 2017

and also here: https://t.co/klexq0k7uf pic.twitter.com/RNGQ8CczLN

— Omri Moyal (@GelosSnake) November 20, 2017

Fact two:

Malicious Crypto-Mining fact of the day:
Although many different currencies are mined by attackers, Monero (XMR) is the choice for vast majority of bots. Its improved anonymity and CPU optimization makes it perfect for cyber-criminals.

— Omri Moyal (@GelosSnake) November 21, 2017

Fact three:

Malicious Crypto-Mining fact of the day: A lot of miners are depending on public pools, making their profits and size quite easy to track. The wallet and pool address can be found quite easily and automatically. Here is a random example: https://t.co/QeaKB07gT1 pic.twitter.com/JHO1zAUoe8

— Omri Moyal (@GelosSnake) November 22, 2017

Fact four:

Malicious Crypto-Mining fact of the day:
A lot of new cyber-crooks are experimenting with CryptoMining, their #1 OpSec Failure is to use a traceable email as their pool account. Live example via @anyrun_app - https://t.co/5qAFEylNB9 pic.twitter.com/QSEFQsgx22

— Omri Moyal (@GelosSnake) November 26, 2017

Fact five:

Malicious Crypto-Mining fact of the day:
Building efficient mining code is not trivial. Therefore, malicious crypto-miners often include open source such as XMRig (https://t.co/oZOvUIudfM). Here's a very simple Yara rule to detect XMRig (and similar): https://t.co/N4i3S3y2sg pic.twitter.com/JasWyveh2Z

— Omri Moyal (@GelosSnake) November 27, 2017

Fact six:

Malicious Crypto-Mining fact of the day:
Since solo mining is not that profitable, bots are joining public pools. These pools have pretty static domain names. Here are very experimental Snort and Suricata sigs for tracking them down. https://t.co/YbYu4YeOTM pic.twitter.com/3174OWskxN

— Omri Moyal (@GelosSnake) November 28, 2017

Fact seven:

Malicious Crypto-Mining fact of the day:
It’s not surprising that mainstream bots are adding crypto-mining modules to their functionality. Mining plugins exist for both Windows and Linux bots. Here’s an example from SnatchLoader:https://t.co/Qdp9SwdC1C pic.twitter.com/SpvzULVw2D

— Omri Moyal (@GelosSnake) November 29, 2017