Triggers
- An internal host is mining units of cryptocurrency of which Bitcoin, Litecoin, Ethereum, and Monero are some of the most common variants
- Cryptocurrency mining is a common way for botnet operators to make money
- Cryptocurrency mining may involve communication via HTTP or via the Stratum mining protocol
Possible Root Causes
- An infected host is mining cryptocurrency for its bot herder
- Some cryptocurrency mining can occur in the user’s browser as a side effect of visiting compromised or low-reputation websites
- The user of the host on which the behavior has been detected has installed cryptocurrency mining software and is making money using your organization’s systems, power, and network resources
Business Impact
- Botnet activity presents several risks to the organization: (1) it creates noise which may hide more serious issues; (2) there is a chance your organization’s IP will end up on black lists; and (3) the compromised host can always be instructed to perform a direct attack on the organization
- If the user of the host intentionally installed cryptocurrency mining software, the risk may be minimal, though such a user may also be prone to installing other “money making” software which may not prove to be as benign
Steps to Verify
- If the user intentionally installed cryptocurrency mining software, decide whether it should be removed
- If the user did not install cryptocurrency mining software, the host is likely infected and part of a botnet that performs “silent mining”
- Use anti-virus software or reimage the host to remove the malware