The use of cryptojacking attacks is once again in the news and in favor for online attacks. This form of attack uses malware to insert specialized and hidden “mining” apps to create new coins for the attackers. It has been around almost as long as legitimate cryptocurrencies – we’ve written about it most recently in 2019 – but has current appeal because it continues to provide low risks for the rewards and profits generated: typically, the profit margin is about two percent of the computing costs for the resulting coins mined.

A recent report found cryptojacking malware in about a third of Docker container images that had malware inserted. Another report found that cryptojacking attacks in the financial sector have risen by more than 250 percent in the past year, and this despite a drop in cryptocurrencies such as Bitcoin since January. 

Researchers have identified a hacking group called TeamTNT that has been hijacking computers for the past month. This group was very active throughout 2020 and 2021 and had used a variety of tools to steal credentials and scan and attack local networks. Lately, they have been targeting Docker containers for a variety of exploits. These scan containers for weak or no security and then inserts its Bitcoin miner malware scripts. The researchers called this a “Kangaroo attack,” named after a popular and legit mining algorithm. 

The identity of TeamTNT is interesting because last November the team’s Twitter account sent a “farewell” message, saying the team was disbanding and ceasing any hacking operations. Whether they have been reformed or someone else is assuming their identity isn’t clear. 

Researchers found that their previous hacking infrastructure continues to automatically infect new victims with old worms that could scan and infect new systems. These hacking scripts were copying code from a GitHub project from what seems to be a TeamTNT account. According to the research, the hacking gang is likely experimenting with new attack techniques and adding new features to their malware and beefing up its distribution network.

How do you know if your PC has been compromised?

There are several ways to tell if you are running any cryptomining software. If your CPU usage is continually higher (say at over 80% utilization when there aren’t any active programs) or your computer overall is overheating (running above 65 degrees Celsius), this shows that you could be potentially running something that you don’t intend to.

• On macOS, this can be checked by going to Applications > Utilities > Activity Manager 
  
  
• On Windows, open Task Manager and go to Performance > CPU

It’s also good to check for increased internet traffic by specific apps. Here’s how to monitor that:

• On Windows, go to Settings > Network & Internet > Data Usage > View Usage by app
• On Mac, go to the Activity Manager and choose Network and Sent Bytes

Another indication could be slower than normal performance. You might need to run additional software tools to figure the specifics.  

How to avoid cryptojacking attacks

There are several things you should do to avoid these sorts of attacks in the future. 

First, for the best protection, you should use a browser that automatically blocks the most common JavaScript miners. Next, use strong antivirus software that protects against cryptojacking by detecting all unsecure websites and blocking anything malicious, including cryptomining.

As always, avoid suspicious websites and don’t click on any email attachments. Finally, always make sure your Windows software – including your browser – is updated with the latest patches.