Identification of cryptomining credentials and their use in differentiating between insider threats and wide-spread malware

How global analysis of cryptomining credentials can identify malicious criminal organizations leveraging corporate computing power for financial gain.

Download this research paper

Most cryptocurrencies work via a blockchain secured using a proof-of-work model. In the proof-of-work model, it takes significant computational effort to produce the next block in the blockchain, but whoever produces the next block first is rewarded with some of the cryptocurrency associated with that blockchain.

Cryptocurrency mining is the race to produce the next block in a cryptocurrency’s blockchain and earn the reward. To do this, individual miners group together to distribute the effort of producing the next block and share the reward if one of the group is the first to do so. To track who deserves part of the reward and how big their part should be, miners send credential information to the pool when they register.

Our research aimed to identify mining credentials and use them to differentiate insider threats from wide-spread malware. We extracted user credentials from network traffic using Deep Packet Inspection and our knowledge of crypto-mining communication protocols, such as getblocktemplate or stratum.

We found that credentials usually include a cryptocurrency-wallet or email address. Sometimes, email addresses tell us something about the person or group responsible for the mining device.

We also compared each credential to all others seen across all mining traffic. We found that some credentials appear in a range of unrelated compromises, which suggests they are likely associated with widely-spread malware. By contrast, credentials that appear only once are more likely to result from an insider compromise. As we can now track observed mining credentials, we can also detect when new credentials are used.