WHAT’S THE STORY?
Monero is a cryptocurrency designed to keep users anonymous and known to be highly resistant to transaction analysis by law enforcement. It is rapidly becoming the cryptocurrency of choice in the cyber-criminal underground economy. Monero is also extremely popular with operators of miner malware—like WannaMine—malware that infects personal computers and uses the spare processing power to “mine” cryptocurrency—because of its low difficulty rate, compared to other cryptocurrencies of similar value.
WHAT DOES IT MEAN?
Monero is popular and easy to mine. It was initially positioned as a major competitive alternative to Bitcoin. Its popularity is actually due in large part to the demand from the criminal underground. In 2016 administrators of the now defunct criminal marketplace AlphaBay attempted to manipulate the price of Monero, encouraging mass buying of the currency. This pushed Monero into the cyber criminal mainstream. Monero’s capabilities are now being promoted as part of the suite of criminal malware available on the black market. It is also believed it is being used by state-sponsored cyber operations groups affiliated with North Korea attempting to avoid sanctions. Organizations in all industries should take note because they may have to deal with miner malware, or other types of criminal probing/hijacking attempts related to Monero. Financial Services and Government Agencies in particular may have already been affected.
WHAT CAN YOU DO?
To reduce the risks and impact of Monero miner malware on your organization, security teams should:
Monitor system performance of hosts with business IT network environments to detect unusual rises in CPU or GPU use—or performance degradation
Monitor outbound network communications to known Monero mining pools
Monitor for cryptocurrency wallet and mining pool addresses in host process memory via endpoint detection and response (EDR) tools