It is well known that new crypto coins appear via mining. Mining is a complex process of computation that relies on GPU or CPU power. More and more often, this procedure is done in an unethical way. Criminals have created sneaky methods to parasitize servers, and computers of other people to surreptitiously generate new coins.

The boom of rogue cryptomining (sometimes also called cryptojacking) at the cost of unsuspecting computer users co-occurred with the increase of Bitcoin price that skyrocketed in 2017. Although the dramatic price decrease in late 2018 caused many of these rogue mining campaigns to an end, the expectations of the epidemic’s quick end were impetuous.

A new wave of malicious cryptomining started to grow when the price of Bitcoin, Ethereum, and other popular cryptocurrencies gradually climbed back up in 2019. Cybercrooks are now using new techniques to hide their operations and their malware is now infecting new types of targets. Their repertoire ranges from targeting Docker hosts and airports – to spreading booby-trapped WAV media files and hacked CMS plugins. No system is secure, even relatively safe Apple devices may get infected too.

Below you can read about several new incidents that gave the security industry a heads-up.

Monero mining malware found in an international airport computer system

In October 2019, the security company Cyberbit made a discovery while deploying an Endpoint Detection and Response system in one of the European airports. Security researchers found that the biggest part of the international airport’s workstations was infected with a new version of the XMRig Monero mining malware.

Hackers were able to trick the antivirus solution, but the behavioral analytics system that was recently added identified the abnormal activity. The XMRig Monero malware has been around for about a year. This very variant, however, was its offshoot that included several tweaks to avoid detection by popular antivirus apps. Another innovation employed by the miner was the use of PAExec, (based on Microsoft’s PsExec service) that allowed hackers to remotely execute their processes on distant hosts. The malefactors leveraged this technology to penetrate the network and launch the harmful cryptominer granting it the admin rights.

The crooks also took advantage of the Reflective DLL Injection method to get a fileless execution of their code. It ran only in memory and did not land onto the hard discs at all, adding one more layer of obfuscation to the malicious activity.

Researchers say that the original payload arrived either with a spear-phishing email or drive-by download. The hackers were very accurate. They understood that they would need to stay quiet. They did not want to disrupt the normal operation of the airport. So, they restricted their malware from using a substantial part of the hosts’ CPU capabilities.

Docker hosts targeted by a unique cryptojacking worm

Docker is a virtualization service utilized for hosting data and software in isolated containers. This set of PaaS products is run by a single-engine and may have different structures and configurations while, technically, being the same software ecosystem.

Palo Alto Networks’ analysts came across an attack that injected a cryptominer into plenty of vulnerable Docker containers. The exploitation method in question stands out from the rest since the malicious piece of code called Graboid possessed characteristics of a worm. It is a new thing in this malware segment.

Hackers used Shodan to find unsecured Docker hosts. Once they accessed the target, they installed an infected Docker image. In a while, the treacherous code started to mine Monero cryptocurrency. It also reached out to the Command & Control server to get an updated list of other vulnerable Docker services. The worm selected the next victim (randomly) and spread itself further through the Docker client utility that allowed communication between the hosts.

Graboid malware was programmed to run in a somewhat chaotic way. It stopped its cryptomining on some hosts while starting it on others. Each miner was up and running about 60% of the time. The mining sessions did not last more than five minutes on average.

This lack of consistency allowed attackers to hide their tracks. One more thing that postponed the detection was that traditional security tools do not monitor disreputable activities inside Docker containers.

Audio files possessing a cryptomining payload

In late 2019, security researchers from Cylance unveiled a highly evasive technique of spreading cryptomining malware. Cybercriminals used WAV files to deliver their Monero miner. As a rule, such files do not raise any red flags.

The wicked minds behind this operation found a way to introduce a toxic payload into the data structure of popular audio tracks. Victims cannot notice any sound quality issues. Meanwhile, the loader element launches a portable executable (PE) file in the background.

The resulting malware is again a variant of the popular among hackers XMRig miner that uses the host’s CPU power for the benefit of cybercrooks. The second-stage payload is often a combination of the rogue miner and Metasploit (pentest software). The latter is used to remotely access the compromised device by establishing a reverse shell.  A serious concern about this attack is that such a mechanism of hiding a harmful code inside files subconsciously complicates detection because the code actually manifests itself only in memory.

Breached WordPress plugin that mines crypto

Trojanized WordPress plugins are not new. For years, attackers used them to get backdoor access to compromised servers. In some cases, ransomware authors used them to encrypt website files and ask for ransom. Researchers from the company that provides website protection called Securi have recently come across a new use case involving rogue plugins.

They found a fake WordPress plugin that spreads a miner named Multios. The fake plugin is a copy of Wpframework, a plugin that has not been supported and updated for years. Although the original developer is obsolete now in 2020, Wpframework can still be found on hundreds of WP websites. Plenty of webmasters risk to unwittingly install the wrong version of the plugin.

The perpetrators turned the prototype in an instrument of unauthorized access to the dashboard. In addition, this tool sets a cryptomining activity by launching a Linux binary.

Security experts are not tired to repeat that all WordPress website owners should update their plugins in time, install plugins only from reputable sources and regularly inspect for malicious activity


Rogue cryptomining is far from being over. The few cases above clearly demonstrate that criminals are thinking outside the box to evade detection techniques. Their main focus is on obfuscation of the harmful activity employing the random nature of the mining processes, fileless execution, and masking payloads as trustful files.

Regardless of the methods to infect the system, all attacks share the same sign: slow system performance caused by the high consumption of computer resources. This factor remains the main giveaway, and therefore people should monitor CPU usage to detect the hack at the early stage.