Threat actors looking for a steadier (and stealthier) income stream pushed cryptojacking to record highs in 2022.

Late February was a wakeup call for anyone who still thought it was a good idea to illegally download software: Researchers identified a new version of cryptojacking malware hiding within cracked versions of Apple’s Final Cut Pro video editing app. This macOS-targeting malware was designed to turn the tables on pirates by hijacking their computers and using them to illegally mine Monero.

While this isn’t the first time XMRig, a perfectly legal cryptominer, has been identified in pirated Final Cut Pro software, this version is particularly stealthy. If a user happens to notice their machine’s performance is suffering and opens Activity Monitor to find the source of the trouble, XMRig shuts down to avoid detection, then relaunches once Activity Monitor is closed.

What is Cryptojacking?

Cryptojacking refers to the act of using a computer or other device to mine cryptocurrency without the knowledge or consent of the device’s owner. This process is often very resource-intensive, and can cause the device’s performance to suffer or result in higher electric bills for the target.

Cryptojacking Reached Record High in 2022

While companies such as Apple are working to bolster their defenses against cryptojacking campaigns, recent data suggests this may continue to be an uphill battle.

In the 2023 SonicWall Cyber Threat Report, SonicWall Capture Labs threat researchers reported a 43% year-over-year increase in cryptojacking attempts in 2022. This spike pushed attack volume past the 100-million mark for the first time ever and set a new record high of 139.3 million attacks by year’s end.

SonicWall also observed a shift in the locations being targeted. While North America experienced a 36% year-over-year increase, Asia and Europe both saw triple-digit increases, with the latter recording 6.5 times the number of attacks in 2022 as in 2021.

As noted in the report, some of this growth may be due to threat actors supplementing or shifting from ransomware to more low-profile revenue streams. At least one ransomware gang has publicly announced they were shutting down their ransomware operation in favor of cryptojacking. And based on the 21% year-over-year decrease in ransomware attacks observed by SonicWall in 2022, others have likely followed suit.

Attacks Becoming More Prevalent, Stealthy and Sophisticated

As cryptojacking becomes more widely adopted, it’s also expanding its territory, with threat actors continuing to broaden their scope beyond traditional Windows-based attacks. In addition to the recently discovered Final Cut Pro campaign, cryptominers have also been identified hitching a ride on other apps designed for Macs, such as Adobe Photoshop and Apple Logic Pro.

Linux servers and even internal Redis servers were also popular targets for cryptojacking campaigns in 2022. While we reported on the growth in Redis attacks in our 2023 Cyber Threat Report, in just the week since its launch, another cryptojacking campaign targeting Redis has been identified — this one leveraging the legitimate tool transfer[.]sh.

And as cryptojacking continues to pick up steam, cybercriminals are becoming increasingly innovative. For example, in January 2023, threat actors used automation to create 130,000 free trial accounts on cloud platform services, with the end goal of exploiting GitHub Actions workflows for illicit cryptomining.

With cryptojacking attacks on the rise and the cyber landscape continuing to evolve, staying up to date on the latest threat intelligence has never been more important.

“It is crucial for organizations to understand attackers’ tactics, techniques and procedures (TTPs), and commit to threat-informed cybersecurity strategies to defend and recover successfully from business-disrupting events,” said SonicWall Threat Detection and Response Strategist Immanuel Chavoya. “This includes stopping sophisticated ransomware attacks as well defending emerging threat vectors, including IoT and cryptojacking.”