CoffeeMiner Malware Virus – How to Detect And Remove It

CoffeeMiner Malware Virus – How to Detect And Remove It

remove CoffeeMiner malware monero miner virus stf

This article reveals how to remove the CoffeeMiner Monero cryptocurrency miner virus from your computer.

The CoffeeMiner malware is an advanced virus that can infect many computers at once and their resources in order to perform complex crypto currency operations (also known as mining) that generate income for the hacker operators. It can also be used to deliver additional threats to the victims.

Threat Summary

TypeMiner Trojan Horse
Short DescriptionAims to use the system’s resources of the infected computers to mine for Monero and other crypto currencies.
SymptomsAfter infection the miner overloads the CPU for extended periods of time which results in poor PC performance and system crashes.
Distribution MethodNetworks attacks, exploits, emails, scam sites and malware downloads.
Detection Tool See If Your System Has Been Affected by CoffeeMiner


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss CoffeeMiner.

CoffeeMiner Malware — Distribution Methods

The CoffeeMiner malware is an advanced threat that has just been reported by the security community. Instead of utilizing traditional approaches it is mostly directed at victims using a complex MITM (Man-In-The-Middle) injection attack.

According to the predefined scenario the hackers execute a public Wi-Fi spoof. The reports indicate that the CoffeeMiner malware has already been tested in a real-world example case to prove that it works.

Not only do the infections can be deployed using custom behavior patterns, the whole scenario can be deployed using a virtual machine as well. One of the detailed guides showcase how this can be achieved using the popular Kali Linux distribution. The criminal controllers have demonstrated how all three types of users can be simulated — the victim, attacker and gateway device.

The CoffeeMiner malware infection can be initiated by starting an ARP poisoning attack on the network to which the targets are connected. These are usually popular public Wi-Fi networks that belong to locations such as the following:

  • Coffeee Shops
  • Restaurants
  • Bars
  • City Parks
  • Shopping Malls
  • Airports

Once this is done another tool is used to analyze the traffic and input dangerous JavaScript code into the transmitted HTML pages. This means that while the victim users are browsing Internet pages they can be infected with the CoffeeMiner malware. This includes even legitimate sites and secured content as the dangerous code does not originate from the servers, but the network itself.

Traditional malware infection routes include the following tactics:

  • Email Messages — The computer criminals can generate email messages based on templates that can include attachments or links to files containing virus files. In other cases social engineering may be used to coerce the victims into connecting to the rogue network.
  • Infected Files — Dangerous and/or spoofed files can be hosted on file sharing sites, communities, portals and Torrent trackers.
  • Redirects — Web Scripts, redirects and ads can institute the dangerous Miner code into the browsers.
Related Story: PyCryptoMiner Targets Linux Machines to Mine for Monero

CoffeeMiner Malware — More Details

CoffeeMiner Malware image

The CoffeeMiner malware is a Python-based virus that poses a serious threat to computer users. Its main method of execution relies on manipulating computer users into connecting to a rogue network via a wireless (Wi-Fi) connection. Once the infected hosts are in range the MITM attack is initiated either manually or by following an predefined attack pattern:

  1. The hacker controllers or the scripts automatically selects the target victims from all available connected clients to the rogue network.
  2. The file injection is done using JavaScript code to the browsers. The hackers employ in order to fool the browsers into executing the dangerous code.
  3. The crypto currency miner starts to mine the designated crypto currency (Monero) using predefined settings.
  4. All affected devices on the rogue network are configured to report back to the host that started the infection.

The JavaScript miner code is executed on the target hosts. The proof-of-concept coed and demonstrations used the CoinHive code which mines the Monero cryptocurrency (XMR). This is one of the most popular alternatives to the Bitcoin currency as it is privacy-centric and has become very popular in the last few months. Further modifications of the code can institute two types of malware infections. The first and more common miner installation is the in-browser execution which automatically starts the miner software once the infected web browser is opened. The persistent infiltration burrows itself deep into the operating system and launched itself when the computer is booted. Certain versions can use advanced techniques to protect themselves from removal.

Advanced virus strains and customized versions of the CoffeeMiner malware can also be used to institute other system changes. This can either disrupt the normal functioning of the computers or result in additional malware delivery. If the behavior patterns are configured to run in a multi-stage delivery then the initial post-infection phase can include a stealth protection module. It is used to scan the computer for the presence of any anti-virus products, sandboxes, debugging tools and virtual machines. If the virus finds that it cannot bypass them then it can remove itself to avoid detection.

Some of the customized malware instances engage in information gathering operations that seek to extract as much valuable data as possible. There are two main groups of data that can be outlined in these kind of attacks — anonymous metrics and personally-identifiable data. The first one is related mainly to the hardware components and configuration of the operating system. The second group of data can be used to directly expose the users by revealing details about their identity. Examples include the following: real names, address, telephone numbers, nicknames, user preferences, interests and etc. Remote administration of the compromised hosts can be achieved using two methods:

  • Server Control — This method employs malware code that automatically connects the infected machine to a command and control (C&C) server which is operated by the hackers. It allows them to execute arbitrary commands, as well as install additional modules to the targets at will.
  • Trojan Component — Customized instances of the CoffeeMiner malware can employ a fully-featured Trojan module that directly communicates with the hackers. It not only allows them to monitor the users actions in real time but also overtake control of the machines in real time.

Further system changes include boot options that impact the way the computer starts. The hackers usually use this to prevent manual user recovery methods. The made alterations disable the Windows startup recovery function and certain options. When registry changes are enforced the victims may experience severe performance issues, as well as notice that certain services and applications may fail. Other malicious actions that can severely impact the systems is the ability to delete the discovered Shadow Volume Copies of a target host. Such information can then be only restored using a quality data recovery solution (refer to our guide below).

When several of these actions are combined the resulting effect can result in a persistent state of execution. This is a form of virus infiltaration that actively prevents the users from removing it. The malware can continuously monitor the users actions and prevent any removal attempts automatically.

The security experts speculate that since the CoffeeMiner malware infects the target hosts mainly via the browsers then it can also institute various browser hijackers. They represent dangerous browser plugins that are usually made for the most popular web browsers: Google Chrome, Mozilla Firefox, Microsoft Edge, Internet Explorer, Safari and Opera. One of the main objectives of these type of malware is to redirect the victims to hacker-controlled sites. A typical scenario would include the modification of the most important settings such as: the default home page, search engine and new tabs page. Furthermore the hackers can also extract sensitive personal data such as: bookmarks, history, form data, preferences, cookies, passwords and account credentials. The hacker-controlled pages usually install intrusive tracking cookies that aim to extract sensitive information about the users interests and actions. All of this data is pooled into databases that are then sold to marketing agencies for profit.

It would be easy to deploy the CoffeeMiner malware as part of a complex hacking attack. The analysts note that the criminal operators can utilize a powerful Wi-Fi antenna and a small portable server or mobile device to maintain a wider range. Depending on the exact location, buildings and interference if made correctly the attack can potentially impact thousands of users.

We remind our readers once again that the malware code is written in the popular Python programming language which is very versatile. It allows the threat’s modular base to be further extended with additional components. If other tools are deployed the potential consequences can be even more damaging. One of the propositions is the interaction with the popular network analyzer nmap using a script. It would allow the malware to automatically attack the available IP addresses of the local network to the CoffeeMiner victim list. Another potential future implementation is the ssltrip component which ensures that the traffic alterations can also be made over the HTTPS secured sites.

Related Story: Archive Poster Miner Virus

How to Remove CoffeeMiner Miner Virus from Your Computer

The detection of the malicious CoffeeMiner miner virus is not that easy. It is a persistent threat that may remain hidden on the system for a long time. That’s why security experts recommend the help of a professional anti-malware tool for its detection and removal. Such a tool guarantees maximum removal efficiency and future malware protection.


Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share