Crypto Mining Malware Becoming Increasingly Widespread – Zminer, CoinMiner Among The Latest

Crypto currency mining has now become quite lucrative, thanks to the exploding crypto prices. In fact, the overall market cap has already exceeded $154 billion [Ref]. The increasing popularity of cryptocurrencies is due to their unique features like anonymity, convenience, speed, and profitability.

Cryptocurrency Mining Process: Not Quite Easy

Mining cryptocurrencies is much more difficult than is let on, as they require quite a bit of resources. For successful mining, you would need graphics cards, dedicated high-end processors, other hardware, and you would also need to bear the related electricity costs. In the end, the profits made from mining would be significantly dented, due to the money spent on these resources.

In recent times, cybercriminals found a way to overcome this issue – by using crypto currency-mining malware.

What is Crypto Currency-Mining Malware?

In simple terms, crypto currency-mining malware is something that cybercriminals use for installing crypto currency miners (e.g. Bitcoin miners) in users’ systems. This malware then allows cybercriminals to utilize the computing resources of the infected user for their own gain. Cybercriminals are mainly enticed due to the fact that crypto currencies like Bitcoin are now getting recognized as a legitimate currency, giving it a real-world value.

Who’s Vulnerable and What is its Impact?

Criminals usually target systems of gamers, as they have high-end graphic processing units (GPUs) or video cards making mining quicker. If you are a user of a graphics-intensive application, you may be targeted by cybercriminals and are more vulnerable to the attack.

Once your system is under attack, you might know something is off because it would slow down your system quite a bit. This is because the miners eat up the processing power of the system. Quite soon, the infected systems sustain higher wear and tear due to the effort required for processing the crypto currency blocks. However, the user usually remains quite unaware of the mining.

CoinMiner, Zminer among the Latest Malware

The most recent crypto currency-mining malware reported are CoinMiner and Zminer.

Zminer is a malware which has mainly two payloads, called Claymore CryptoNote CPU Miner and Manager.exe. The drive-by download, Zminer executable, is first dropped from an exploit kit. This then connects with an Amazon S3 storage bucket to grab the two payloads.

Among the two payloads, “Manager.exe” oversees the mining and includes instructions for the Windows Task Scheduler. On the other hand, “Claymore” is a mining utility used to produce Monero, an open-source cryptocurrency that goes to lengths to obfuscate its blockchain, making it a challenge to trace any activity. Once Zminer is up and running, it also seeks out and disables Windows Defender by adding several keys in the system registry.

The use of Amazon Simple Storage Service by Zminar has two-fold advantage for the cybercriminal. The payload delivery is quicker and easier, as well as the fact that the victims never suspect it, as they believe that Amazon is a trusted source.

CoinMiner is a malware that is quite difficult to trace as it uses several techniques to remain on the machine once it is infected. CoinMiner first uses EternalBlue, the leaked NSA exploit for entering into the Windows system. The WMI (Windows Management Instrumentation) toolkit is then used to run malicious commands. WMI scripts are run in the background for downloading the mining malware by connecting to the attacker’s C&C.

As per Trend Micro: “The combination of fileless WMI scripts and EternalBlue makes this threat extremely stealthy and persistent.

Caution is the Answer

With malware getting smarter, prominent security researchers warn users to stay cautious. As Ashwin Vamshi at Netskope notes: “Users should treat abnormal increase in CPU usage as a potential indicator for coin-mining malware.”

Reference Links: https://threatpost.com/cryptocurrency-mining-malware-hosted-in-amazon-s3-bucket/127643/ , http://wccftech.com/cryptocurrency-mining-malware/, https://www.netskope.com/blog/coin-mining-malware-heads-cloud-zminer/