A new bulletin from Russian internet security company Kaspersky Labs published Nov. 28 states that crypto mining malware became increasingly popular among botnets in 2018.

Stealth crypto mining attacks – also know as cryptojacking – work by installing malware that uses a computer’s processing power to mine for cryptocurrencies without the owner’s consent or knowledge.

According to Kaspersky, after the crypto market bull run subsided in Jan.-Feb. 2018, interest in cryptojacking also briefly tapered off – yet it has nonetheless remained a consistent and current threat throughout the year.

Number of unique users attacked by miners in Q1–Q3 2018

Among botnets in particular, during the Q1 2018 cryptojacking “boom,” the share of cryptojacking malware downloaded by botnets, out of total files, hit 4.6 percent – as compared with 2.9 percent in Q2 2017. The bulletin extrapolates that botnets are therefore becoming increasingly viewed as a means of spreading crypto mining malware, with cybercriminals increasingly viewing cryptojacking as more favorable than other attack vectors.

Kaspersky thus found that Q3 2018 saw a decline in the number of DDoS attacks from botnets, arguing “the most likely reason being [...] the ‘reprofiling’ of botnets from DDoS attacks to cryptocurrency mining”:

“[I]f executed properly, [cryptojacking] can be impossible for the owner of an infected machine to detect [...] the reprofiling of existing server capacity completely hides its owner from the eyes of the law. Evidence suggests that the owners of many well-known botnets have switched their attack vector toward mining. For example, the DDoS activity of the Yoyo botnet dropped dramatically, although there is no data about it being dismantled.”

Other factors in the rise of cryptojacking are the low “entry threshold” for cybercriminals; web browser based code, such as Coinhive, is one option, and there are also a range of “ready-to-use affiliate programs, open mining pools, and miner builders” at attackers’ disposal.

The report notes that “time will tell” what the impact of the November crypto market crash will be on the prevalence of cryptojacking infections.

In mid November, cybersecurity research team McAfee Labs uncovered new Russia-made mining malware, which uses consumer devices to mine Monero (XMR), running almost without a trace.