What is Coin Miner Malware? Trojan CoinMiner Explained

Coin Miner is a malware that concentrates on earning cryptocurrencies by mining them on victims’ CPU or GPU.

You may be interested in taking a look at our other antivirus tools:
Trojan Killer, Trojan Scanner.

What is Coin Miner? | CoinMiner Malware | Gridinsoft

CoinMiner Malware

November 01, 2022

Cryptomining became a gold rush of XXI century. Everyone heard about it, and a lot of people start using it as a source of additional, or even primary income. However, big money attract not only rich people, but also rascals who aim at claiming those money, or making someone work for their enrichment.

Coin Miner is a malware type that uses the hardware elements of the victim’s PC to mine cryptocurrencies. Most often, crooks who control such coin miner virus (Monero (XMR) or (Litecoin an example), as they are the easiest for mining. They can use the software that is similar or even completely repeats the one used for legit mining, but with a key difference - people whose hardware is used never agreed for this.

Cryptomining malware generally aims at conducting its activity on the user’s CPU. That happens because there are pretty big number of PCs, especially in offices, where no GPU is present. Even through GPU mining is more effective by orders of magnitude, it is important for crooks to successfully launch on every PC they invade. They substitute the quality with quantity, which is pretty effective with the chosen cryptotokens.

How Does CoinMiner Malware Work?

As it was mentioned, crypto miners do nearly same things as genuine miners, and sometimes use same codebase – from the open-source tools. They concentrate at conducting the calculations of a transaction block hash using the hardware. Depending on the cryptotoken, the hash may consist of 64, 128, 256 or more symbols. This operation is needed to add the transaction info to a blockchain - a global ledger book, unique for each crypto currency.

Cryptomining scheme

GPUs are way more efficient than CPU for that task, as they have thousands of execution cores, in contrast to CPUs that typically have 4 to 8 ones. That’s why you’d probably heard about the graphic card’s price surge during the last cryptoboom. You still can perform the mining with a processor, but the task of hash calculation is time-sensitive. If you will not complete it in time, then someone else will receive a reward for doing it faster. To mitigate this problem from both ends, crooks opt for easy-to-mine cryptos and apply hacking into hundreds of computers to add them to their network. Hence, even having old and weak CPUs will be compensated by their number.

Cryptomining malware usually subordinates the command server, having only small things to decide autonomously. However, the initial coin miner setup almost always happens independently from the server - as the spreading has a massive scale. After being set up, malware connects to the server, retrieves the unified instructions and starts running. To make this connection more stealthy, crooks rent a server on well-known hosting - fortunately for them, they apply cryptocurrency payments these days.

How Do You Get a Coin Miner Virus?

Most of coin miners make a way into your PC as trojans - disguised as a legit apps or tools. The exact way they are spread may differ, depending on the decision of a crook who manage the distribution. But generally you will meet the coin miner in hacked apps, tools for some not so legit actions and in email spam. For some of the examples, you will be recommended to switch off your antivirus - and that already should be considered threatening. However, as it was mentioned before, there are ways to make it stealthier even without any manipulation to the user’s security settings.

Email spam is one of the popular ways of coin miner malware spreading
Email spam is one of the popular ways of coin miner malware spreading

Email spam as a way for coin miner distribution is quite new, and seems to have much less spreading these days. At the beginning of summer 2022, there was a large outbreak of such miners, that generally aimed Spanish-speaking countries. Malware was contained in the fake .docx, .xlsx, .pdf or .txt files, which were attached to the letter. Instead of classic scheme with malicious macro script inside of a document, crooks used another, more old scheme - the double extension. By default, Windows has the files extensions displaying disabled, so the victims saw only “legit” extension of a document. In fact, all these files were executable - the .exe extension was hiding behind the interface settings.

Is CoinMiner Malware Dangerous?

Generally speaking, coin miner malware brings a lot of discomfort in PC usage. Cryptomining is a very resource-intensive process, so using the computer that is involved in mining is nearly impossible. Having your CPU or GPU loaded to the limit where it is barely enough for OS to run (~75-80%) means you will likely struggle even to launch the web browser. Mining squeezes out as much power as it can, and since it is controlled by hackers, you have no way to manage this load.

Still, that is not the sole danger of mining. Efficient hash calculation supposes a constant load to your hardware, and hackers never miss a chance to exploit the system they’ve infected as long as possible. For CPUs, long-term loads are not very critical - they may malfunction only if they have some sort of a silicon crystal flaw, or a broken heat sink. Meanwhile, GPUs suffer a heavy wearing during the mining - some models can lose over 20% of their performance in a month, depending on a software and how the load is managed. This usually happens when the temperature and hardware load are managed improperly, but once again - when did cybercriminals pay attention to the victims’ PC state?

There is also a risk no one usually talk about. Coin Miners can collect data packets that are more typical for spyware and stealers. Information about the location, real IP-address of a victim, PC configuration, personal information – these things collected to a database may cost a lot in the Darknet. And rascals who spread malicious miners will never discard a chance to get a monetary bonus. Embedding the spyware functionality is a question of a few minutes, and the results may be alarmingly bad for a victim.

How to Detect CoinMiner Malware?

The key sign of a coin miner activity is the overall system slowness. It is obvious that any system will be difficult to work when the key element of the system is distracted for another task. Coin Miner malware drains all the available power, regardless if there is a 10-years-old Celeron or a Threadripper. Also, you will definitely hear your heat vent whirling on its max RPM ratios. Still, such situations may happen when you perform your daily tasks as well, so it is important to do some additional research.

Something loads the processor to 100%
Something loads the processor to 100%

Contrary to the aforementioned spyware, coin miner malware never hides its presence. Actually, it is impossible, since there is a non-removable sign of its presence – the extremal hardware load. Since they cannot get rid of it, they try to disguise the malicious process (it will definitely be present in the Task Manager) as something known and legit. The most widespread form of concealment is taking the name of a certain system process. Most of users have no clue about the internal mechanisms in Windows, and thus cannot judge about the adequacy of processes running in the background.

Seeing a process like “winlogon.exe” or “msmpeng.exe” that takes over 70% of their hardware power says nothing to them, and googling will likely show that these processes are the part of Windows. However, there are no situations where these processes can take this much of CPU power. There are several exclusions, apparently, but they are very rare and most likely such a situation means you have a coin miner malware in your system.

Typical signs of coin miner virus running in your system

  • High CPU or GPU load that is present regardless of your actions on the PC;
  • A system process present in the user's process tree;
  • Inability to fix the situation with reboots, i.e. CPU load appears as soon as the computer starts;
  • Microsoft Defender is turned off;

Nonetheless, the best way to be sure if you have exactly this problem is to use antivirus software. You can guess, of course, and the chance to be right may be pretty high, but at that situation bearing upon a chance is not an option. Specialised software that has several detection systems will definitely show all the details of what is going on, and remove the intruder if such is present.

How to Protect PC From CoinMiner Malware?

Coin Miners are not that easy to predict and remove, as their spreading waves rarely correspond to other malware activity. This malware kind rather orient at cryptocurrency values - and they are way less predictable than different malicious software. Hence, you should expect new tricks and methods with the other wave of crypto rush.

The best way to nail the risks is to avoid the possible sources of malware. Sure, you cannot forbid the use of its main source - the Internet - but surely can stop visiting the dangerous places and using software that can possibly deal damage to your system is what you should keep away from. Warez sites that offer cracked versions of popular apps, forums or Discord communities that share hand-made tools, email letters from unknown senders - they should not be trusted. Even if you are confident that this source does not spread malicious things, it is better to check it up before installation - you can never be sure if the next thing won’t be malicious.

The ultimate method, which should still act as a last argument, is an effective anti-malware software with proactive protection. With less complicated apps, you can definitely detect the already running coin miner malware, but proactive protection can stop it even before it can do even a thing. And remember that coin miner viruses can easily act as spyware – and giving it more time to act means publishing all your personal details. GridinSoft Anti-Malware will make everything as it should be - quickly and not giving malware even a chance.

Frequently Asked Questions

How do you know if your computer is being used for cryptocurrency mining?
The main sign of being infected with coin miner malware is an extremal slowness of your system. Since malware miners aim at exploiting your CPU, it makes the system sluggish, as it cannot handle the regular tasks with a proper speed. Coin miner malware leaves only 10-15% of processor power to let the system run, and the user’s tasks are out of the deal. You can see an auxiliary sign of malware presence - but it is almost the same for any malware process. This one will probably have a dubious name or the name that repeats the one of a system process. However, system processes rarely take over 80% of CPU power - so a process of this quality belongs to malware.
How do you scan for miners?
Try removing the coin miner malware by hand is a bad idea. Sure, you may have success, but it will be wiped out in a couple of hours when the malware remnants you’ve likely missed will contact the C&C and download the malware back. Hence, getting a proper anti-malware solution is better for dealing with problems quickly and completely. GridinSoft Anti-Malware will be best for that purpose, as it can detect coin miners in both proactive modes and during the scans.
How do you prevent cryptocurrency mining?
The main way malware miners spread these days is spam emails. Crooks disguise their messages as genuine notifications, attach the infected file, and victims eat the bait and get their computers infected. Thus, being very careful with emails, particularly their attachments, will help you avoid the miner malware.