| ID | B0018 |
| Objective(s) | Impact |
| Related ATT&CK Techniques | Resource Hijacking (T1496) |
| Impact Type | Breach |
| Version | 2.2 |
| Created | 1 August 2019 |
| Last Modified | 30 April 2024 |
Malware uses system resources for other than intended purposes, negatively impacting availability as well as performance, whether user endpoint or cloud-based. Digital currency mining, e.g., bitcoin, exemplifies this behavior: malicious actors infect systems with malware, taking control of system resources for purposes of verifying new transactions to the blockchain and earning new currency/coins. Cloud-based systems, e.g., Kubernetes clusters, are not immune to infection and are attractive targets for resource hijacking, given their substantial computing power [1],[2].
The related Resource Hijacking (T1496) ATT&CK technique was defined subsequent to this MBC behavior.
| Name | ID | Description |
|---|---|---|
| Cryptojacking | B0018.002 | Consume system resources to mine for cryptocurrency (e.g., Bitcoin, Litecoin, etc.). |
| Password Cracking | B0018.001 | Consume system resources for the purpose of password cracking. |
| Name | Date | Method | Description |
|---|---|---|---|
| WebCobra | 2018 | B0018.002 | The malware drops software that mines for cryptocurrency, depending on the system architecture. If the system has x86 architecture, the malware drops Cryptonight miner. If the system has x64 architecture, the malware drops Claymore's Zcash miner. [3] |
| [Adylkuzz] | 2017 | -- | Malware consumes system resources to mine for cryptocurrency. [4] |
| GoBotKR | 2019 | -- | GoBotKR can use the compromised computer’s network bandwidth to seed torrents or execute DDoS. [5] |
| Clipminer | 2011 | -- | Clipminer uses sytem resources to mine for cryptocurrency. [6] |
| Tool: CAPE | Mapping | APIs |
|---|---|---|
| cryptopool_domains | Resource Hijacking (B0018) | GetAddrInfoW |
| cryptomining_stratum_command | Resource Hijacking (B0018) | -- |
| cryptomining_stratum_command | Resource Hijacking::Cryptojacking (B0018.002) | -- |
[1] B. G. a. M. Ahuje,"CrowdStrike Discovers First-Ever Dero Cryptojacking Campaign Targeting Kubernetes," CrowdStrike, blog, 15 Mar. 2023. [Online]. Available: https://www.crowdstrike.com/blog/crowdstrike-discovers-first-ever-dero-cryptojacking-campaign-targeting-kubernetes/.
[2] D. Ramel,"Hackers Turn Kubernetes Machine Learning to Crypto Mining in Azure Cloud," Virtualization and Cloud Review, 24 June 2020. [Online]. Available: https://virtualizationreview.com/articles/2020/06/24/azure-cloud-exploit.aspx.
[3] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/
[4] https://blog.trendmicro.com/trendlabs-security-intelligence/wannacry-uiwix-ransomware-monero-mining-malware-follow-suit/
[5] https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
[6] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clipminer-bitcoin-mining-hijacking