CoinMiner Malware
September 16, 2023
Coin Miner is a malware type that uses the hardware elements of the victim’s PC to mine cryptocurrencies. Most often, crooks who control such coin miner virus (Monero (XMR) or (Litecoin an example), as they are the easiest for mining. They can use the software that is similar or even completely repeats the one used for legit mining, but with a key difference - people whose hardware is used never agreed for this.
Cryptomining malware generally aims at conducting its activity on the user’s CPU. That happens because there are pretty big number of PCs, especially in offices, where no GPU is present. Even through GPU mining is more effective by orders of magnitude, it is important for crooks to successfully launch on every PC they invade. They substitute the quality with quantity, which is pretty effective with the chosen cryptotokens.
How Does CoinMiner Malware Work?
As it was mentioned, crypto miners do nearly same things as genuine miners, and sometimes use same codebase – from the open-source tools. They concentrate at conducting the calculations of a transaction block hash using the hardware. Depending on the cryptotoken, the hash may consist of 64, 128, 256 or more symbols. This operation is needed to add the transaction info to a blockchain - a global ledger book, unique for each crypto currency.
GPUs are way more efficient than CPU for that task, as they have thousands of execution cores, in contrast to CPUs that typically have 4 to 8 ones. That’s why you’d probably heard about the graphic card’s price surge during the last cryptoboom. You still can perform the mining with a processor, but the task of hash calculation is time-sensitive. If you will not complete it in time, then someone else will receive a reward for doing it faster. To mitigate this problem from both ends, crooks opt for easy-to-mine cryptos and apply hacking into hundreds of computers to add them to their network. Hence, even having old and weak CPUs will be compensated by their number.
Cryptomining malware usually subordinates the command server, having only small things to decide autonomously. However, the initial coin miner setup almost always happens independently from the server - as the spreading has a massive scale. After being set up, malware connects to the server, retrieves the unified instructions and starts running. To make this connection more stealthy, crooks rent a server on well-known hosting - fortunately for them, they apply cryptocurrency payments these days.
Trojan CoinMiner Samples Found in 2024:
| Ransom.Win32.Miner.cld | 6d49017cc391b1eff941718861b39f650c24402f1ace1c9c0dd8aafa530ee4bf |
| Trojan.Win32.CoinMiner.dd!n | cc0e2956994e20bdcc659dc8c8070e26e4fd8aa4a8a3e6303176aa7b05f5fbec |
| Trojan.Win64.CoinMiner.cl | 463342b1bfdcb199ecd21e5c81f1c71417531fa913f0f687c1cf20b929daef1f |
| Trojan.Win32.CoinMiner.dd!n | 2ad91b3e4f12530fafb6e50ed501942fac463ccf20cec374e0803f97f1920ebf |
| Trojan.Win32.CoinMiner.dd!n | 808ba990881c67835f4f5ccbf4bc4482e7bb33cbb987e4ec6d96963a4777620f |
| Trojan.Win32.CoinMiner.oa!s1 | 20c922c7c2794a69f119d53173b600dd5c8d9ac5b1a94b59de0321a845d9aa0c |
| Trojan.Win64.CoinMiner.sa | 05198c5ec393db7ded9b7a313f99e67b43a0e0fc3832a3c0ff30bb9c79424d32 |
| Trojan.Win32.CoinMiner.ns | 0dd4434fe34de41c317a14592a1b6a3dcc4eb7450125cfa6f843caddfb2337fa |
| Trojan.Win64.CoinMiner.ca | 00748d7ea4ccfb6fc6ff59e3fe24c46b862ab3dd9c562ff6b13b5dfb31326bc6 |
| Trojan.Win32.CoinMiner.vl!n | f71946f4bad844fdfc86956de2484f35644dd4fa007ef381942b7d9d3c0fcfaa |
How Do You Get a Coin Miner Virus?
Most of coin miners make a way into your PC as trojans - disguised as a legit apps or tools. The exact way they are spread may differ, depending on the decision of a crook who manage the distribution. But generally you will meet the coin miner in hacked apps, tools for some not so legit actions and in email spam. For some of the examples, you will be recommended to switch off your antivirus - and that already should be considered threatening. However, as it was mentioned before, there are ways to make it stealthier even without any manipulation to the user’s security settings.
Email spam as a way for coin miner distribution is quite new, and seems to have much less spreading these days. At the beginning of summer 2022, there was a large outbreak of such miners, that generally aimed Spanish-speaking countries. Malware was contained in the fake .docx, .xlsx, .pdf or .txt files, which were attached to the letter. Instead of classic scheme with malicious macro script inside of a document, crooks used another, more old scheme - the double extension. By default, Windows has the files extensions displaying disabled, so the victims saw only “legit” extension of a document. In fact, all these files were executable - the .exe extension was hiding behind the interface settings.
Is CoinMiner Malware Dangerous?
Generally speaking, coin miner malware brings a lot of discomfort in PC usage. Cryptomining is a very resource-intensive process, so using the computer that is involved in mining is nearly impossible. Having your CPU or GPU loaded to the limit where it is barely enough for OS to run (~75-80%) means you will likely struggle even to launch the web browser. Mining squeezes out as much power as it can, and since it is controlled by hackers, you have no way to manage this load.
Still, that is not the sole danger of mining. Efficient hash calculation supposes a constant load to your hardware, and hackers never miss a chance to exploit the system they’ve infected as long as possible. For CPUs, long-term loads are not very critical - they may malfunction only if they have some sort of a silicon crystal flaw, or a broken heat sink. Meanwhile, GPUs suffer a heavy wearing during the mining - some models can lose over 20% of their performance in a month, depending on a software and how the load is managed. This usually happens when the temperature and hardware load are managed improperly, but once again - when did cybercriminals pay attention to the victims’ PC state?
There is also a risk no one usually talk about. Coin Miners can collect data packets that are more typical for spyware and stealers. Information about the location, real IP-address of a victim, PC configuration, personal information – these things collected to a database may cost a lot in the Darknet. And rascals who spread malicious miners will never discard a chance to get a monetary bonus. Embedding the spyware functionality is a question of a few minutes, and the results may be alarmingly bad for a victim.
How to Detect CoinMiner Malware?
The key sign of a coin miner activity is the overall system slowness. It is obvious that any system will be difficult to work when the key element of the system is distracted for another task. Coin Miner malware drains all the available power, regardless if there is a 10-years-old Celeron or a Threadripper. Also, you will definitely hear your heat vent whirling on its max RPM ratios. Still, such situations may happen when you perform your daily tasks as well, so it is important to do some additional research.
Contrary to the aforementioned spyware, coin miner malware never hides its presence. Actually, it is impossible, since there is a non-removable sign of its presence – the extremal hardware load. Since they cannot get rid of it, they try to disguise the malicious process (it will definitely be present in the Task Manager) as something known and legit. The most widespread form of concealment is taking the name of a certain system process. Most of users have no clue about the internal mechanisms in Windows, and thus cannot judge about the adequacy of processes running in the background.
Seeing a process like “winlogon.exe” or “msmpeng.exe” that takes over 70% of their hardware power says nothing to them, and googling will likely show that these processes are the part of Windows. However, there are no situations where these processes can take this much of CPU power. There are several exclusions, apparently, but they are very rare and most likely such a situation means you have a coin miner malware in your system.
Typical signs of coin miner virus running in your system
- High CPU or GPU load that is present regardless of your actions on the PC;
- A system process present in the user's process tree;
- Inability to fix the situation with reboots, i.e. CPU load appears as soon as the computer starts;
- Microsoft Defender is turned off;
Nonetheless, the best way to be sure if you have exactly this problem is to use antivirus software. You can guess, of course, and the chance to be right may be pretty high, but at that situation bearing upon a chance is not an option. Specialised software that has several detection systems will definitely show all the details of what is going on, and remove the intruder if such is present.
How to Protect PC From CoinMiner Malware?
Coin Miners are not that easy to predict and remove, as their spreading waves rarely correspond to other malware activity. This malware kind rather orient at cryptocurrency values - and they are way less predictable than different malicious software. Hence, you should expect new tricks and methods with the other wave of crypto rush.
The best way to nail the risks is to avoid the possible sources of malware. Sure, you cannot forbid the use of its main source - the Internet - but surely can stop visiting the dangerous places and using software that can possibly deal damage to your system is what you should keep away from. Warez sites that offer cracked versions of popular apps, forums or Discord communities that share hand-made tools, email letters from unknown senders - they should not be trusted. Even if you are confident that this source does not spread malicious things, it is better to check it up before installation - you can never be sure if the next thing won’t be malicious.
The ultimate method, which should still act as a last argument, is an effective anti-malware software with proactive protection. With less complicated apps, you can definitely detect the already running coin miner malware, but proactive protection can stop it even before it can do even a thing. And remember that coin miner viruses can easily act as spyware – and giving it more time to act means publishing all your personal details. GridinSoft Anti-Malware will make everything as it should be - quickly and not giving malware even a chance.