Full Report
Cybersecurity researchers have detailed two novel methods that can be used to disrupt cryptocurrency mining botnets. The methods take advantage of the design of various common mining topologies in order to shut down the mining process, Akamai said in a new report published today. "We developed two techniques by leveraging the mining topologies and pool policies that enable us to reduce a
Analysis Summary
# Tool/Technique: Bad Shares and XMRogue (Mining Disruption Techniques)
## Overview
These are two novel defensive techniques detailed by Akamai designed to disrupt and potentially shut down cryptocurrency mining botnets, specifically targeting Monero (XMR) mining campaigns by exploiting the design and policies of mining topologies and the Stratum mining protocol. One technique targets the mining proxy, while the other targets direct connections to the mining pool.
## Technical Details
- Type: Technique / Tool (XMRogue is the supporting tool)
- Platform: Mining infrastructure (Proxies, Pools, Miner Clients)
- Capabilities: Banning mining proxies or wallet addresses from mining pools by submitting invalid job results or flooding connection requests.
- First Seen: June 2025 (based on the article publication date)
## MITRE ATT&CK Mapping
This research focuses on disruption/defense rather than offensive TTPs, but the *adversary's* actions that these methods counter often map to:
- **TA0011 - Command and Control** (The C2/Pool interaction is disrupted)
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols **\[Relevant Context: Stratum protocol disruption]**
## Functionality
### Core Capabilities
**1. Bad Shares Technique (Targeting Mining Proxy):**
- Impersonating a legitimate miner using an in-house tool (XMRogue).
- Connecting to the attacker's mining proxy.
- Submitting consecutive "bad shares" (invalid mining job results) that bypass the proxy's validation but are submitted to the upstream pool.
- Causing the mining pool to ban the proxy due to repeated bad shares, halting mining operations for the entire botnet connected through that proxy.
**2. Wallet Ban Technique (Targeting Direct Pool Connection):**
- Exploiting pools that ban a wallet address for one hour if it receives more than 1,000 simultaneous login requests.
- Initiating over 1,000 concurrent login attempts using the attacker's own wallet address against the pool.
- Forcing the pool to ban the attacker's wallet, which is effective when miners connect directly to the pool without a proxy.
### Advanced Features
- The ability to *selectively* shut down botnets without impacting legitimate miners on the same pool, by targeting the specific proxy or wallet infrastructure used by the attacker.
- The techniques leverage the victim's reliance on proxies or the pool's own defensive policies (e.g., connection limits).
## Indicators of Compromise
*Note: The article primarily describes defensive actions/tools used against malware infrastructure, rather than IoCs generated by the malware itself.*
- File Hashes: N/A (XMRogue is a tool developed for defense)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Exploited communication over the **Stratum mining protocol**.
- Behavioral Indicators: High volume of invalid Proof-of-Work submissions ("bad shares") originating from a single pseudo-miner entity targeting a proxy; high volume of concurrent login attempts to a pool using a single wallet address.
## Associated Threat Actors
The article does not name specific threat actors using Monero miners, but the defensive techniques were developed to counter **Cryptominer Botnets**.
## Detection Methods
- Signature-based detection: Not applicable to these specific defensive techniques, but monitoring for unusual patterns targeting mining infrastructure is key.
- Behavioral detection: Detecting anomalous submission rates of invalid shares, or rapid, high-volume connection floods aimed at banning an upstream entity.
- YARA rules: N/A
## Mitigation Strategies
For Defenders (Cryptocurrency Pools/Organizations):
- **Proxy Hardening:** Ensure mining proxies actively validate shared submission quality and implement robust rate-limiting or self-banning policies that are harder to exploit with repeated invalid shares.
- **Connection Limits:** Review and potentially adjust hard connection limits for wallet addresses to prevent abuse of the 1,000+ connection threshold for one-hour bans.
For Victims (Infected systems):
- The mitigation for the *initial infection* (the cryptominer) is standard endpoint security remediation, though these techniques facilitate the *shutdown* of the operation once established.
## Related Tools/Techniques
- **XMRogue:** The specific tool developed by Akamai to automate the "bad shares" technique.
- **Stratum Protocol:** The underlying protocol whose behavior is exploited.
- General Cryptomining Malware (e.g., XMRig-based variants, specific Monero miners).