Cybercriminals earned over $57 million by hiding mining malware in forked projects on GitHub

Written by Adeel Aslam ·  1 min read >

Crypto mining malware hijackers net $1.2 million a month for the past 4 years, as Github inadvertently becomes the most popular place to host crypto mining malware.

Cryptocurrency seems to be a hotbed for theft and hacking, and it’s no secret cryptojackers prefer Monero. Recently researchers from Universidad Carlos III de Madrid and King’s College London have determined that about 720,000 XMR– or 4.32 percent – of Monero‘s currently circulating supply, has been mined through malware.

With more sophisticated strategies that develop as technology evolves, there’s no denying that cybercrime is getting worse every year. According to security researchers at security company Avast, cybercriminals have found just another way to spread their malware: uploading cryptocurrency mining code to GitHub.

Developers ‘fork’ projects on GitHub, which means making a copy of someone else’s project in order to build their own. Here, the cybercriminals fork random projects and then hide malicious executables inside the directory structure of these new projects, said the researchers.

The cybercriminals use GitHub’s ‘fork’ feature to make a copy of someone else’s project to build, then hide those malicious executables inside directory structures of these new projects, said the researchers.

“We observe that GitHub is the most renowned site used to horde the crypto-mining malware. This is because GitHub hosts most of the mining tools, which are directly downloaded — for antagonistic functions — by droppers,” the researchers wrote.

While the accurate volume of generated revenue is dependent upon when the cybercriminals cash-out their earnings, the researchers estimated it to be worth nearly $57 million over the last four years ($0.3 million per week).

What’s notable is that the criminals don’t have to make people download the executables from GitHub to spread the malware. Instead, the malware can spread through the ever ongoing phishing campaigns the criminals are running.

The investigation further analyzed the place that XMR was being routed to. When hackers steal computing energy to mine cryptocurrency, they’ll clandestinely make use of two attainable methods: becoming a member of a “mining pool,” or mine without anyone else’s input.

The researchers also discovered Monero mining malware hosted as torrents, attachments in Discord channels, as well as muddled through various URL-shortener services. While researchers describe hosting malware on GitHub as “unusual”, they point to it being beneficial to the attackers because it offers unlimited bandwidth.