Several things have come together in a perfect storm to create the most recent crypto-crime trend: the ability to surreptitiously install illicit Monero miners on unsuspecting computers around the world. Windows servers, laptops, Android devices, and IoT connected devices are all at risk.

The worst part? Targets often are unaware that they’ve been hacked — unless they’re able to recognize an occasional performance slowdown or can closely monitor their electric use. No ransoms, no stolen passwords or personal information; victims may even find it difficult to convince anyone there’s a problem.

Perfect Storm

  • In 2017 a hacker group released a National Security Agency-created hack called EternalBlue, which made it easy to crack into computers running Microsoft Windows.
  • Cryptomining itself: the fact that blockchain-based systems utilize miners, who automatically receive a cryptocurrency payment/reward for their contribution in whatever coin they choose to process.
  • Cryptocurrency users looking for more anonymity than offered with Bitcoin developed Monero, an altcoin better able to hide the tracks of criminal transactions.
  • Under the Radar

    Cryptomining is both profitable and easy (enough) to mount. As a result, it is rapidly replacing ransomware as the crypto-related cybercrime of choice, especially as cybersecurity vendors are bringing ransomware protection to market. The combination of the above technologies has created what is essentially a perfect storm, threatening to wreak havoc on computer systems.

    “What we’re looking at from a near and potentially long-term perspective is the value of a computer that has just a regular old CPU might be more just leaving it quietly running some cryptocurrency miner rather than infecting it with ransomware or some other software that might steal data,” explains Ryan Olson, Intelligence Director at Palo Alto Networks.

    “In this new business model, attackers are no longer penalizing victims for opening an attachment or running a malicious script by taking systems hostage and demanding a ransom,” explain the Talos team. “Now attackers are actively leveraging the resources of infected systems for cryptocurrency mining.”


    A large number of compromised devices working together is known as a botnet. Botnets are a common component of a hacker’s toolbox, as they can mount distributed denial of service attacks and various other attacks that require massive amounts of coordinated transaction processing.

    In the case of illicit cryptomining, however, each node works independently of the others. Cyber-criminals simply need to install many separate (but connected) miners because each miner only generates a relatively small amount of cryptocurrency.

    Case in point: Smominru. Smominru leverages the EternalBlue exploit from the NSA, targeting Windows. The attacker typically mounts a phishing attack with a Microsoft Word file attachment. Once the target downloads the file, it runs a Word macro that executes a Visual Basic script that in turn runs a Microsoft PowerShell script that downloads and installs the miner executable.


    One of the main cryptocurrencies that makes this whole process work is the newly-developed anonymous cryptocurrency Monero. “Bitcoin alternatives like Monero and Ethereum continue their overall upward trend in value,” explains Sandiford Oliver, Cybersecurity Researcher for Proofpoint, “Putting them squarely in the crosshairs of threat actors looking for quick profits and anonymous transactions.”

    While other cryptocurrencies do have their own roles, Monero is shaping up to be the favorite. “This Monero mining botnet is extremely large, made up mostly of Microsoft Windows servers spread around the globe,” says Kevin Epstein, Vice President of Proofpoint’s Threat Operations Center.