This chapter covers cryptojacking and resource abuse, a growing threat where attackers hijack victims' computing resources to mine cryptocurrencies without consent. For SY0-701 Objective 2.4, you must understand the attack mechanism, common indicators, and mitigation strategies. Cryptojacking is a form of resource abuse that can degrade system performance, increase operational costs, and expose organizations to further attacks. This chapter will equip you with the knowledge to identify, respond to, and prevent cryptojacking incidents.
Jump to a section
Imagine a large office building where employees are paid to do productive work. One night, a janitor (the attacker) sneaks into the server room and installs a small, hidden mining rig that uses the building's electricity (CPU/GPU cycles) to mine cryptocurrency for his personal wallet. The mining rig is designed to run only when the building's power usage is low (idle system resources), so it doesn't trip the main breaker. The janitor doesn't steal any files or damage equipment; he just consumes electricity, making the building's utility bills higher (increased CPU usage, slower performance). The office manager (security analyst) notices that the power bill is inexplicably high and that some computers are running hot even when no one is working. By reviewing power usage logs (resource monitoring), the manager traces the extra load to the server room and finds the hidden rig. He removes it, changes the server room access code, and installs a power monitoring system to detect future anomalies. In this analogy, the janitor is the cryptojacker, the mining rig is the malicious script, the electricity is CPU/GPU cycles, and the power bill is the increased resource usage that alerts defenders.
What is Cryptojacking?
Cryptojacking is the unauthorized use of a victim's computing resources (CPU, GPU, memory, and electricity) to mine cryptocurrencies. Unlike ransomware or data theft, cryptojacking often goes unnoticed because it doesn't immediately damage files or steal data. However, it can significantly degrade system performance, increase power consumption, and shorten hardware lifespan. In enterprise environments, cryptojacking can lead to inflated cloud costs, reduced productivity, and potential compliance issues if resources are abused for illegal mining.
SY0-701 tests your ability to identify cryptojacking scenarios, recognize the tools and techniques used, and apply appropriate mitigations.
How Cryptojacking Works Mechanically
Cryptojacking typically follows a kill chain:
Delivery: Attackers deliver the mining payload via phishing emails, malvertising, drive-by downloads, or compromised websites. In-browser cryptojacking uses JavaScript injected into web pages (e.g., Coinhive) that executes when a user visits the site.
Execution: The payload runs on the victim's device, either as a standalone executable (e.g., XMRig) or as a script within a browser. The mining software connects to a mining pool controlled by the attacker.
Resource Hijacking: The software leverages the device's CPU/GPU to solve complex cryptographic puzzles (proof-of-work) required to validate cryptocurrency transactions. This consumes significant processing power, often causing fans to spin up and battery life to drain.
Persistence: Attackers often implement persistence mechanisms, such as scheduled tasks, registry modifications, or browser extensions, to ensure the miner runs after reboot.
Exfiltration: The mined cryptocurrency is sent to the attacker's wallet, usually via the mining pool. The victim never sees the funds.
Key Components and Variants
Browser-based cryptojacking: JavaScript code runs in the user's browser while they visit a website. Example: Coinhive (now defunct but still used in modified forms). No installation required; the miner stops when the browser is closed.
File-based cryptojacking: Standalone executables or scripts that run on the operating system. Example: XMRig, a popular Monero miner. These can be disguised as legitimate software or bundled with pirated applications.
Cloud cryptojacking: Attackers compromise cloud accounts (e.g., AWS, Azure) and spin up high-powered virtual machines to mine cryptocurrency. This can lead to massive bills for the account owner.
Mobile cryptojacking: Malicious apps on Android or iOS that mine cryptocurrency in the background, draining battery and data.
How Attackers Exploit Systems
Attackers commonly exploit: - Unpatched vulnerabilities: CVE-2019-3396 (Confluence), CVE-2020-1472 (Netlogon), or other remote code execution flaws to deploy miners. - Weak credentials: Brute-forcing SSH/RDP credentials to install miners. - Misconfigured containers: Kubernetes clusters with open kubelets or exposed Docker APIs (port 2375) are prime targets. - Watering hole attacks: Compromising legitimate websites to inject mining scripts. - Malvertising: Placing malicious ads that automatically run mining scripts.
Detection and Mitigation
Indicators of Compromise (IoCs): - Unusual CPU/GPU usage (e.g., consistently 80-100%) - Sluggish system performance - Overheating devices - Network traffic to known mining pools (e.g., pool.minexmr.com, xmrpool.eu) - Unexpected cloud costs - Presence of mining executables (e.g., xmrig.exe, minerd.exe) or scripts (e.g., coinhive.min.js)
Mitigation Strategies: - Endpoint protection: Use antivirus/EDR that can detect cryptomining signatures and behaviors. - Browser extensions: Ad-blockers and anti-miner extensions (e.g., NoCoin) can block mining scripts. - Network controls: Block known mining pool domains and IPs. Use web filtering to block categories like "Cryptocurrency Mining." - Application whitelisting: Only allow approved software to execute. - Patch management: Keep systems updated to close vulnerabilities. - Cloud security: Monitor cloud resource usage with tools like AWS CloudTrail, enable budget alerts, and enforce least privilege. - User education: Train users not to click suspicious links or install untrusted software.
Real Command/Tool Examples
Detecting cryptojacking with Linux command:
# Check top CPU consumers
top -o %CPU
# Look for processes named xmrig, minerd, or similar
ps aux | grep -i mine
# Check network connections to mining pools
netstat -anp | grep :3333Using Wireshark to detect mining traffic:
- Filter for stratum+tcp:// or json-rpc traffic.
- Look for connections to ports 3333, 4444, 5555 (common mining pool ports).
Using Windows Performance Monitor: - Create a data collector set for CPU usage and alert when sustained above 80%.
Blocking mining domains via DNS:
- Add entries to blocklist: 0.0.0.0 pool.minexmr.com
Cloud detection with AWS:
# Use AWS CLI to get EC2 instance metrics
aws cloudwatch get-metric-statistics --metric-name CPUUtilization --namespace AWS/EC2 --statistics Average --period 3600 --start-time 2023-01-01T00:00:00Z --end-time 2023-01-02T00:00:00ZPersistence Mechanisms
Scheduled tasks (Windows): schtasks /create /tn "WindowsUpdate" /tr "C:\Users\Public\miner.exe" /sc onidle /i 10
Cron jobs (Linux): */5 * * * * /usr/bin/miner.sh
Registry run keys: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Browser extensions: Malicious extensions that mine in background.
Legal and Ethical Implications
Cryptojacking is illegal in most jurisdictions as unauthorized use of computing resources. For organizations, it can violate service level agreements (SLAs) with cloud providers and lead to financial penalties. Defenders must be aware that mining software itself is not inherently malicious; it becomes malicious when deployed without consent.
Delivery of Mining Payload
The attacker delivers the cryptomining software to the victim system. Common methods include phishing emails with malicious attachments (e.g., a fake invoice PDF that contains a macro to download XMRig), drive-by downloads from compromised websites, or malvertising. In browser-based attacks, the victim simply visits a website with embedded JavaScript mining code. The attacker may also exploit vulnerabilities (e.g., CVE-2021-40444 in MSHTML) to drop the miner without user interaction. For cloud attacks, the attacker gains access via stolen API keys or weak passwords. Tools used: phishing kits, exploit kits, or ad networks. Logs: Web proxy logs show visits to compromised sites; email security logs show phishing delivery.
Execution and Installation
Once delivered, the payload executes. For file-based attacks, the user may double-click the attachment, or the exploit runs automatically. The miner installs itself, often in a hidden directory (e.g., %APPDATA%\Microsoft\Windows\Caches\). It may masquerade as a legitimate process (e.g., svchost.exe). In browser attacks, the JavaScript executes immediately. The miner connects to a mining pool using a protocol like Stratum (stratum+tcp://pool.example.com:3333). The attacker configures the miner to use a specific wallet address. Tools: XMRig, XMR-Stak, or web-miner scripts. Logs: Process creation events (Event ID 4688 in Windows) show new processes; network logs show outbound connections to mining pools.
Resource Hijacking and Mining
The miner begins using CPU/GPU cycles to solve cryptographic puzzles. This causes high resource utilization, often 100% CPU on all cores. The system becomes sluggish, fans run loudly, and battery life drops rapidly. In cloud environments, the attacker may spin up multiple instances, leading to exponential cost increases. The mining process may be throttled to avoid detection (e.g., only mine when system is idle). The miner sends solved blocks to the mining pool, which credits the attacker's wallet. Tools: Task Manager, top, or cloud monitoring dashboards show high usage. Logs: Performance logs (e.g., Windows Performance Monitor) record sustained high CPU; cloud billing reports show spikes.
Persistence and Evasion
To survive reboots, the attacker establishes persistence. On Windows, this may be a scheduled task that runs at logon or on idle. On Linux, a cron job or systemd service. The miner may also disable security software or use process hollowing to evade detection. Some miners use domain generation algorithms (DGAs) to change C2 domains periodically. The attacker may also use obfuscation (e.g., base64 encoding) to hide the mining script. Tools: schtasks, crontab, or registry editors. Logs: Scheduled task creation (Event ID 4698), service installation (Event ID 7045), or registry modifications (Event ID 4657).
Detection and Response
The security team detects the cryptojacking through various means: alerts from EDR about high CPU usage, network traffic to known mining pools, or cloud cost anomalies. The analyst should isolate the affected system from the network, terminate the mining process, and remove persistence mechanisms. For browser-based attacks, block the malicious URL and clear browser cache. For cloud attacks, revoke compromised credentials, terminate instances, and review IAM policies. The analyst should also scan for other affected systems and investigate the infection vector. Tools: SIEM, EDR (e.g., CrowdStrike), cloud security tools (e.g., AWS GuardDuty). Common mistake: assuming high CPU is due to legitimate software without verifying.
Scenario 1: Enterprise Desktop Cryptojacking
A large financial firm notices that several employee workstations are running slowly and overheating. The SOC analyst checks performance metrics and sees CPU usage at 98% on multiple machines. Using an EDR tool (e.g., SentinelOne), the analyst identifies a process named svchost.exe running from a suspicious path C:\Users\Public\svchost.exe. The EDR shows outbound connections to xmrpool.eu:3333. The analyst terminates the process, deletes the executable, and removes a scheduled task named "WindowsUpdate" that re-launched the miner. Further investigation reveals the initial infection came from a phishing email with a malicious Excel macro. The analyst blocks the sender domain and updates the email filter. Common mistake: The analyst might have ignored the high CPU usage as a legitimate update, delaying detection.
Scenario 2: Cloud Cryptojacking on AWS
A startup receives an AWS bill of $50,000 for a single day, far exceeding their normal $500. The cloud engineer checks CloudTrail and sees that an IAM user "dev-user" created 100 high-performance EC2 instances (c5.24xlarge) in an unused region. The instances are running a miner. The engineer immediately revokes the IAM user's keys, terminates the instances, and enables AWS Budgets with alerts. The root cause is a leaked API key in a public GitHub repository. The engineer implements key rotation and uses AWS Secrets Manager. Common mistake: The engineer might have only terminated instances without revoking keys, allowing the attacker to spin up new ones.
Scenario 3: Browser-Based Cryptojacking in a School
A school district's computers become slow when students visit a popular educational website. The IT admin uses a browser developer tool to inspect network traffic and sees JavaScript files named miner.js loading from a domain cdn.cryptoloot.com. The admin blocks the domain at the firewall and adds an ad-blocker extension to all browsers. The website was compromised via a third-party plugin. The admin also reports the issue to the website owner. Common mistake: The admin might have blamed the school's internet bandwidth instead of checking for malicious scripts.
What SY0-701 Tests on This Objective
Objective 2.4 (Threats, Vulnerabilities, and Mitigations) includes cryptojacking under "Resource Abuse." The exam expects you to:
Identify cryptojacking as a type of resource abuse where computing resources are stolen for cryptocurrency mining.
Recognize common indicators: high CPU usage, slow performance, overheating, unusual network traffic to mining pools.
Differentiate cryptojacking from other malware types like ransomware or botnets.
Know mitigation techniques: ad-blockers, browser extensions, network filtering, endpoint detection, application whitelisting, and user education.
Understand that cryptojacking can be browser-based or file-based.
Common Wrong Answers and Why
"It is a type of ransomware" – Candidates confuse cryptojacking with crypto-ransomware. Cryptojacking mines cryptocurrency; ransomware encrypts files for ransom. Both involve crypto, but mechanisms differ.
"It only affects cloud environments" – While cloud cryptojacking is common, it also affects desktops, servers, and mobile devices. The exam will present on-premises scenarios.
"Blocking all outbound traffic is the best mitigation" – Overly restrictive; the correct approach is to block known mining pool domains and use application whitelisting.
"It always requires user interaction" – Browser-based cryptojacking can occur without user interaction beyond visiting a webpage. File-based may require execution, but exploits can auto-run.
Specific Terms and Values
Coinhive: Defunct but historically significant browser-based miner. Exam may reference it.
XMRig: Popular Monero miner used in file-based attacks.
Monero (XMR): Preferred cryptocurrency due to privacy features (untraceable transactions).
Stratum protocol: Used to communicate with mining pools (port 3333).
Indicators: CPU usage >80%, network traffic to mining pools, presence of miner executables.
Trick Questions
A scenario describes high CPU usage but no file encryption – answer is cryptojacking, not ransomware.
A scenario mentions a website that slows down browsers – answer is browser-based cryptojacking, not a DDoS attack.
A question asks for best mitigation – choose application whitelisting over simply updating antivirus.
Decision Rule for Eliminating Wrong Answers
If a scenario involves unauthorized resource consumption (CPU, GPU, bandwidth) without data theft or encryption, and the goal is financial gain through cryptocurrency, the answer is cryptojacking. If the scenario involves encryption of files for ransom, it is ransomware. If it involves using the system to launch attacks, it is a botnet.
Cryptojacking is unauthorized use of computing resources to mine cryptocurrency, classified under resource abuse in SY0-701.
Common indicators include high CPU/GPU usage, slow performance, overheating, and network traffic to mining pools (port 3333).
Browser-based cryptojacking uses JavaScript; file-based uses executables like XMRig.
Monero (XMR) is the preferred cryptocurrency for cryptojacking due to its privacy features.
Mitigation includes ad-blockers, network filtering of mining domains, endpoint detection, application whitelisting, and user education.
Cloud cryptojacking can be detected via unexpected spikes in resource usage and costs; use budget alerts and audit logs.
Persistence mechanisms include scheduled tasks, cron jobs, and registry run keys.
Cryptojacking is not ransomware; it does not encrypt files but steals resources.
These come up on the exam all the time. Here's how to tell them apart.
Cryptojacking
Goal: Mine cryptocurrency using victim's resources
No data encryption or theft
Often stealthy, aims to remain undetected
Impact: performance degradation, increased costs
Monetary gain through mining rewards
Ransomware
Goal: Encrypt victim's files for ransom payment
Data is encrypted and held hostage
Explicitly notifies victim of infection
Impact: data loss, business disruption
Monetary gain through ransom payments
Browser-based Cryptojacking
Runs in browser via JavaScript
No installation required
Stops when browser is closed
Lower resource usage per session
Delivered via compromised websites or ads
File-based Cryptojacking
Runs as standalone executable on OS
Requires installation (often via phishing)
Persists across reboots
Higher resource usage, can run continuously
Delivered via phishing emails, drive-by downloads
Mistake
Cryptojacking is only a browser-based threat.
Correct
While browser-based cryptojacking is common, file-based attacks (executables) are also widespread, especially in enterprise environments. Attackers use both vectors depending on the target.
Mistake
Cryptojacking does not cause data loss, so it is harmless.
Correct
It degrades system performance, increases operational costs, shortens hardware lifespan, and can lead to compliance issues. In cloud environments, it can cause massive financial damage.
Mistake
Antivirus software always detects cryptomining malware.
Correct
Many cryptominers are signed or use obfuscation to evade signature-based detection. Behavioral detection (EDR) is more effective at identifying abnormal resource usage.
Mistake
Cryptojacking only affects Windows systems.
Correct
Linux servers, macOS devices, and mobile platforms are also targeted. Cloud cryptojacking often targets Linux instances due to their prevalence.
Mistake
Blocking JavaScript in the browser prevents all cryptojacking.
Correct
Blocking JavaScript can prevent browser-based attacks but does not protect against file-based executables or cloud-based attacks. A layered defense is needed.
Cryptojacking is the unauthorized use of a victim's computer or device to mine cryptocurrency. It works by delivering a mining script or executable via phishing, compromised websites, or exploits. The miner uses the device's CPU/GPU to solve cryptographic puzzles, and the mined coins are sent to the attacker's wallet. It can be browser-based (JavaScript) or file-based (executable).
Look for sustained high CPU usage (80-100%) on endpoints, especially when idle. Check network traffic for connections to known mining pools (e.g., pool.minexmr.com) on ports 3333, 4444, or 5555. Use EDR tools to detect mining processes (e.g., xmrig.exe). Monitor cloud resource usage for unexpected spikes. Also, users may report slow performance or overheating.
Cryptojacking mines cryptocurrency using the victim's resources without encrypting files. Ransomware encrypts files and demands a ransom for decryption. Both aim for financial gain, but cryptojacking is stealthy and degrades performance, while ransomware is overt and causes data loss. SY0-701 tests this distinction.
Use ad-blockers and anti-miner browser extensions (e.g., NoCoin). Block known mining pool domains via DNS or web filtering. Deploy endpoint detection and response (EDR) to detect abnormal resource usage. Implement application whitelisting to prevent unauthorized executables. Keep systems patched and educate users about phishing. For cloud, use budget alerts and monitor API usage.
Yes, mobile cryptojacking exists through malicious apps that mine in the background, draining battery and data. It is less common but possible. Users should only install apps from official stores and monitor battery usage. SY0-701 may include mobile as a target.
Coinhive was a popular browser-based cryptomining service that allowed website owners to embed a JavaScript miner to earn Monero. It was shut down in 2019 but is often referenced in exam contexts as an example of cryptojacking. Attackers used it without consent by injecting the script into compromised websites.
File-based cryptojacking uses persistence mechanisms like scheduled tasks (Windows), cron jobs (Linux), or registry run keys. It may also install as a service or use a startup folder. Browser-based cryptojacking does not persist because it runs only when the browser is open.
You've just covered Cryptojacking and Resource Abuse — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?