CryptojackingTrap

The high profitability of mining cryptocurrencies mining, a computationally intensive activity, forms a fertile ecosystem that is enticing not only legitimate investors but also cyber attackers who invest their illicit computational resources in this area. Cryptojacking refers to the surreptitious exploitation of a victim’s computing resources to mine cryptocurrencies on behalf of the cybercriminal. This malicious behavior is observed in executable files and browser executable codes, including JavaScript and Assembly modules, downloaded from websites to victims’ machines and executed. Although there are numerous botnet detection techniques to stop this malicious activity, attackers can circumvent these protections using a variety of techniques. In this paper, we introduce CryptojackingTrap, a novel cryptojacking detection solution designed to be resistant to most malware defense methods. The CryptojackingTrap algorithm is based on the execution of cryptocurrency hash functions: an indispensable behavior of all cryptojacking executors. This algorithm becomes aware of this specific hash execution by correlating the memory access traces of suspicious executables with publicly available cryptocurrency P2P network data. With the advantage of this assemblylevel investigation and a nature-inspired approach to triggering the detection alarm, CryptojackingTrap provides an accurate, evasion-proof technique for detecting cryptojacking. After experimental evaluation, the false negative and false positive rates are zero, and in addition, the false positive rate is mathematically calculated as 10−20. CryptojackingTrap has an open, extensible architecture and is available to the open-source community.