SoK: Cryptojacking Malware

  title={SoK: Cryptojacking Malware},
  author={Ege Tekiner and Abbas Acar and Arif Selcuk Uluagac and Engin Kirda and Ali Aydin Selçuk},
  journal={2021 IEEE European Symposium on Security and Privacy (EuroS\&P)},
Emerging blockchain and cryptocurrency-based technologies are redefining the way we conduct business in cyberspace. Today, a myriad of blockchain and cryp-tocurrency systems, applications, and technologies are widely available to companies, end-users, and even malicious actors who want to exploit the computational resources of regular users through cryptojacking malware. Especially with ready-to-use mining scripts easily provided by service providers (e.g., Coinhive) and untraceable… 

A Lightweight IoT Cryptojacking Detection Mechanism in Heterogeneous Smart Home Networks

This paper proposes an accurate and efficient IoT cryptojacking detection mechanism based on network traffic features, which can detect both in-browser and host-based cryptojacked malware and designs several novel experiment scenarios to assess the detection mechanism to cover the current attack surface of the attackers.

Cryptocurrency Mining Malware Detection Based on Behavior Pattern and Graph Neural Network

The experimental results show that the MBGINet method achieves a leading and stable performance compared to the dedicated opcode detection method and obtains an accuracy improvement on the simulated in-the-wild dataset and gains an advantage over the general malware detection method Malconv.

Limitations of Web Cryptojacking Detection: A Practical Evaluation

A practical evaluation of the existing web browser blockers against real-world web-based cryptojacking solutions reveals that in more than 60% of cases the tested defensive solutions fail in fighting this threat or can be easily fooled with a few simple modifications.

Distributed Random Beacon for Blockchain Based on Share Recovery Threshold Signature

A threshold signature scheme based on share recovery that takes an acceptable time overhead in distributed key generation and simultaneously enrich the share recovery functionality for the threshold signature-based random number generation scheme.

Do Charging Stations Benefit from Cryptojacking? A Novel Framework for Its Financial Impact Analysis on Electric Vehicles

It is asserted that while cryptojacking provides a financial advantage to attackers, it can severely degrade efficiency and cause battery loss, and a novel framework is proposed that incorporates these models and allows an objective quantification of the extent of this economic damage and the advantage to the attacker.

Detecting Cybercriminal Bitcoin Relationships through Backwards Exploration

Back-and-forth exploration, a novel automated Bitcoin transaction tracing technique to identify cybercrime financial relationships, uncovers a wealth of services used by the malware including 44 exchanges, 11 gambling sites, 5 payment service providers, 4 underground markets, 4 mining pools, and 2 mixers.

DNS based In-Browser Cryptojacking Detection

The metadata aspect of Domain Names (DNs) is used to perform a behavioral study of DNs and detect if a DN is involved in in-browser cryptojacking, which reveals the need for improvements in the feature set of state-of-the-art methods to improve their accuracy in detecting in- Browser Cryptojacking.

A First Look at Code Obfuscation for WebAssembly

This paper applies numerous obfuscation techniques to Wasm programs, and test their effectiveness in producing a fully obfuscated Wasm program, and shows that obfuscation can be highly effective and can cause even a state-of-the-art detector to misclassify the obfuscate Wasm samples.

The Dangerous Combo: Fileless Malware and Cryptojacking

A new threat hunting-oriented DFIR approach with the best practices derived from field experience as well as the literature is presented to provide a literature review in academic papers and industry reports for this new threat.



Detecting Cryptomining Using Dynamic Analysis

The results show that browser-based cryptomining within the dataset can be detected by dynamic opcode analysis, with accuracies of up to 100%, and this is the first such work presenting op code analysis on non-executable files.

Cryptojacking injection: A paradigm shift to cryptocurrency-based web-centric internet attacks

An attack model based on finite state machines is formulated which depicts the various breaches of confidentiality, integrity and availability in the web system as the attack progresses and shows how this new attack vector attacks some of the core components of e-commerce to generate Monero crypto currency from benign web users.

Dine and Dash: Static, Dynamic, and Economic Analysis of In-Browser Cryptojacking

An analytical model is built to empirically evaluate the feasibility of cryptojacking as an alternative to online advertisement and shows a large negative profit and loss gap, indicating that the model is economically impractical.

Crypto Mining Makes Noise

This work identifies and model a new type of attack, i.e., the sponge-attack, being a generalization of cryptojacking, and proposes Crypto-Aegis, a Machine Learning (ML) based framework that builds over the previous steps to detect crypto-mining activities.

CoinPolice: Detecting Hidden Cryptojacking Attacks with Neural Networks

A novel detection method, CoinPolice, that is robust against all of the aforementioned evasion techniques, and deployed to perform the largest-scale cryptoming investigation to date, identifying 6700 sites that monetize traffic in this fashion.

MineSweeper: An In-depth Look into Drive-by Cryptocurrency Mining and Its Defense

A comprehensive analysis on Alexa's Top 1 Million websites to shed light on the prevalence and profitability of drive-by mining, and presents MineSweeper, a novel detection technique that is based on the intrinsic characteristics of cryptomining code, and, thus, is resilient to obfuscation.

Ransomware Payments in the Bitcoin Ecosystem

A data-driven method for identifying and gathering information on Bitcoin transactions related to illicit activity based on footprints left on the public Bitcoin blockchain is presented and found that the market is highly skewed with only a few number of players responsible for the majority of the payments.

A First Look at the Crypto-Mining Malware Ecosystem: A Decade of Unrestricted Wealth

The largest measurement of crypto-mining malware to date is conducted, analyzing approximately 4.5 million malware samples over a period of twelve years from 2007 to 2019, showing that a high proportion of this ecosystem is supported by underground economies such as Pay-Per-Install services.

An Experimental Analysis of Cryptojacking Attacks

The results show that a well-configured cryptojacking attack does not significantly harm its victims, hence can be very difficult to detect, and even aware users might not bother getting rid of the infection.