Cybersecurity researchers have unveiled a groundbreaking method to cripple cryptominer botnets, significantly impacting their operations and profitability. This innovative approach leverages "bad shares" and a custom tool called XMRogue to disrupt malicious mining activities by exploiting vulnerabilities in mining pool policies and infrastructure.

Disrupting Cryptominer Operations

Akamai's research details two primary techniques to effectively shut down cryptominer campaigns. The first, and most impactful, targets mining proxies, which act as central points of failure for botnets. By submitting deliberately invalid mining results, or "bad shares," to these proxies, researchers can trigger mining pool policies that ban the proxy, causing the botnet's hashrate to plummet to zero.

• This method was successfully demonstrated against a six-year-old botnet, reducing its annual revenue from an estimated $50,000 to $12,000, a 76% drop.

• The technique forces attackers to either reconfigure their entire infrastructure, increasing their risk of detection, or abandon the campaign.

Introducing XMRogue

To execute the "bad shares" strategy, Akamai developed a specialized tool named XMRogue. XMRogue impersonates a legitimate miner, connects to a malicious mining proxy, and submits a series of consecutive bad shares. These invalid shares bypass the proxy's validation mechanisms and are forwarded to the mining pool, ultimately leading to the proxy's ban.

• XMRogue ensures that the crafted bad shares are formatted correctly to be accepted by the proxy but rejected by the mining pool.

• This targeted approach allows defenders to disrupt large-scale botnet operations with precision.

Targeting Direct Pool Connections

The second technique addresses scenarios where victim machines connect directly to public mining pools without an intermediary proxy. In such cases, XMRogue can be used to temporarily ban an attacker's wallet address.

• By initiating more than 1,000 simultaneous login requests using the attacker's wallet, XMRogue triggers anti-abuse policies within the mining pool.

• This results in a temporary ban of the wallet for approximately one hour, disrupting the mining operation.

• While not a permanent solution, it provides a valuable tool for defenders to hinder ongoing attacks.

Implications for Cybersecurity

These novel techniques offer a significant advantage to defenders in the ongoing battle against cryptominer botnets. Unlike traditional methods that are often slow and complex, Akamai's approach provides a faster and more effective means of disruption.

• The methods exploit legitimate operational policies of mining pools, ensuring that lawful miners are not affected.

• Legitimate miners can easily recover from such disruptions by changing their IP or wallet, a task far more complex and costly for large-scale botnet operators.

• This research marks a crucial step in making cryptomining less profitable and more challenging for cybercriminals.

  As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• Akamai tool disrupts cryptominer botnets, cutting USD $38K, SecurityBrief UK.

• Researchers Find Way to Shut Down Cryptominer Campaigns Using Bad Shares and XMRogue, The Hacker News.

• Disrupting the operations of cryptocurrency mining botnets, Security Affairs.

• Cryptominer Shutdown with Bad Shares to Stop Botnet, TechNadu.

• Akamai Shares New Techniques for Defenders to Shutdown Cryptominer Attacks, CyberSecurityNews.