Cryptocurrency mining malware

In case you are not very familiar with cryptocurrency mining, let’s first quickly define what it is. Essentially, mining is the process of adding transaction records to a blockchain, which is like a public ledger. Adding those transactions takes a lot of computing power, thus a lot of miners have to purchase special hardware to mine efficiently. However, unfortunately for regular users, cyber crooks have started creating malware that would use users’ computers for mining.

When a computer is infected with mining malware, it starts exhibiting certain symptoms. One of the first ones you would notice is the slowdown of your device. Because such malware uses the device’s resources, it slows the device down quite significantly. It might lag, program may take a long time to launch or constantly freeze. If you are used to using a fast computer, this kind of behaviour will be very noticeable. Another major indication that your computer is infected with mining malware is weird processes in Task Manager. Not every user knows that when a computer is acting weird, it is helpful to check the Task Manager as it can show a lot of useful information. In the case of miners, the Task Manager would show a process (or multiple processes) using a lot of your CPU, possibly more than 70–80%. This is a very clear indication that you are dealing with a miner.

Most computers are not made to withstand such intense resource usage for long periods of time, so if a miner is left undealt with, it could shorten your CPU’s lifespan. But otherwise, it should not do damage.

What are the signs?

When a computer is infected with mining malware, it starts exhibiting certain symptoms. One of the first ones you would notice is the slowdown of your device. Because such malware uses the device’s resources, it slows the device down quite significantly. It might lag, program may take a long time to launch or constantly freeze. If you are used to using a fast computer, this kind of behaviour will be very noticeable. Another major indication that your computer is infected with mining malware is weird processes in Task Manager. Not every user knows that when a computer is acting weird, it is helpful to check the Task Manager as it can show a lot of useful information. In the case of miners, the Task Manager would show a process (or multiple processes) using a lot of your CPU, possibly more than 70–80%. This is a very clear indication that you are dealing with a miner.

Most computers are not made to withstand such intense resource usage for long periods of time, so if a miner is left undealt with, it could shorten your CPU’s lifespan. But otherwise, it should not do damage.

How could you be exploited by a coin miner

For a lot of us, Internet has become an integral part of our lives. We visit so many different websites that ending up on a questionable one is not that unusual. Visiting those kinds of websites is how many people end up with malware. An ad may pop up, that when clicked on would lead to malicious sites, promoting malware concealed as updates or legitimate programs. In such cases, cyber crooks do not really need to do anything, users install the malware themselves. Once the malware is inside, crooks can start exploiting the infected computer.

Let’s analyse, in more detail, a case when a user is tricked into clicking or downloading a malicious file, more specifically a file disguised as an Adobe Flash Player update. The user would be visiting some questionable website, when a pop-up would appear. It would claim that the user’s Adobe Flash Player is out of date and that an update is necessary. Not noticing anything unusual, the user would click on the link provided in the pop-up and would end up redirected to zipansion.com/2hJsq. Another redirect would take the user to http://clearload.bid/-36721IUOB/2hJsq?rndad=3328358281-1533563750, then to https://2no.co/2amqu5 and finally to adobeupdater.mcdir.ru. On that domain, the user would be asked to download a dmclient.exe file. All these redirects to different sites are needed to collect user data and set up cookies on the machine.

So the sequence of the redirects would be:

zipansion.com → clearload.bid → 2no.co → adobeupdater.mcdir.ru

If the user were to check the properties details of the file, it would appear that it is a legitimate file from Microsoft, as the File description section shows “Microsoft feedback”. It would appear like this:

Copyright: Microsoft Corporation. All rights reserved
Product name: Microsoft Windows Operating System
File description: Microsoft feedback SIUF Deployment …
File version: 10.0.16299.15

If the user were to check the file on virustotal.com, it would be clear that it is a Trojan, as 44 out of 68 anti-virus vendors have marked it as a Trojan.agent.

File details:

SHA-256: c0c0d0c792a332ff1263a5f27357017381ecd5e236dfa71d7b49af7787e11c9e
MD5: 49f4504bf8c209854dc5d02a038ddbdd
File size: 293KB

When the user executes the file, on the surface it would appear as if nothing has happened. However, without the user knowing, a lot of things would happen in the background. For one, a task with the name “WinInetDriver” would be created in the Task Scheduler.

This task would be executed every minute with the action “C:\ProgramData\{758899–1cbf42–8949–54145679012c}\hostdl.exe”.

When the file is executed the first time, it sends information about the machine to http://adobeupdater.mcdir.ru/gate.php.

When the file is executed again, it sends out main information, such as ID and status. In the picture below, the file shown is not enabled and is waiting for a response from the server in order to proceed to the active stage.

If the user were to check the PROGRAMDATA folder, the directory {70196f-08d038–9718–28a47d445226} would not be seen, not because it would be hidden but because a rootkit created when dmclient.exe was executed would protect it.

If the gmer tool were to be used, the directory would be visible and would show that it contains a hostdl.exe file, just how the Task Scheduler showed.

Looking at the file hostdl.exe, it can bee seen that it is identical to file dmclient.exe.

Once hostdl.exe gets a signal from adobeupdater.mcdir.ru to go to the enabled state, it would download additional files from bitbucket.org. amd.txt and cpu.txt files would be downloaded and executed. Those files would enable the XMRIG coin miner on the user’s device. The device would be used to mine crypto coins, which would make money for the creators of this malware. And the user would not even know this is happening.

Conclusion

While mining malware is not difficult to notice, not everyone is aware of the symptoms and what they mean. Users could have it for weeks or even months, helping crooks make easy money, and not even know. And with the popularity of cryptocurrency, this kind of malware will become more and more common. Fortunately, there is a way to fight it with ACESO Network. Using our network of experts, ACESO will be able to protect users and their privacy by detecting and removing various infections before they can actually do anything.