CYBER NEWS

Top 5 Cryptocurrency Miners and How to Remove Them

malware miners image

Web-based scripts and downloaded viruses deliver cryptocurrency miners that take advantage of the available system resources. The criminal operators have resorted into making multiple versions that include varied functionality. Our article lists the top 5 cryptocurrency miners that are actively attacking users on a global scale.


1. CoinHive Miner

Coinhive is among the most popular cryptocurrency miners utilized by both computer hackers and web site administrators. It is based on JavaScript code that can be embedded in any page and software. It relies on simple code that executes a series of complex algorithms that mine the Monero crypto currency. This is one of the most popular alternatives to Bitcoin which offers improved security and privacy. All Monero transactions are completely private and secure and there is no way of tracing down a payment down to a particular individual or company.

The Coinhive makers advertise their product as a convenient method for web-based games or providing “extras” to users that voluntarily (or unknowingly) run the script. The programmers refer to the miner availability as being a method for providing in-game currency. Running the code by the users can give them the ability to remove ads, receive game credits, video streaming time and other services which may be limited to free or public accounts on web services. The Monero mining algorithm is designed to run well on consumer processors and graphic cards.

How to Remove Coinhive Monero Miner Trojan from Your PC

2. The WDF Miner

The WDF miner is another popular threat that is part of a Trojan instance that bears the same name. Once it has infiltrated the victim computer it installs itself in the Windows system folder. The WDF miner executable file masks itself as an application called “NVIDIA Driver Profile Updater” and WDF Sound. This is a clever strategy as a large part of the desktop users utilize components made by NVidia.

WDF miner is capable of launching processes of its own that can overtake the system resources thus generating crypto currency for the hackers. As a result of the performance overload the system may stop responding at certain times, videos may stutter and applications may not run correctly.

In addition the WDF miner delivers a Trojan instance which gives the attackers the ability to spy on the users in real time. The module is able to record their mouse movement and keystrokes as well. During the infection phase most Trojan also extract a lot of sensitive information from the compromised systems such as the following: installed hardware components, software installers and user settings.

WDF.EXE Crypto Miner Trojan Virus – How to Remove It

3. Minergate.Exe (Bazon Trojan)

Miner malware including the Minergate instance are usually delivered together with another virus. In this case the Bazon Trojan is the counterpart assigned to assist the miner into infecting the designated targets.

The pair in the most popular case delivers the threat using email spam messages that utilize social engineering tricks. The widely used scenario of assuming the role of a famous company or a government institution is used to make the targets download and execute a file. It is masked as a letter, invoice or another document that may be of user interest. A wide range of formats can include the malware code including rich text documents, presentations or spreadsheets.

When the files are opened integrated scripts (macros) are run that seek to infect the compromised machines with the Minergate miner. The executable file which is then loaded into memory is copied to a system folder to prevent manual removal of the instance by deleting the payload.

The Bazon Trojan component modifies Windows registry values so that the Minergate code is loaded every time the computer boots. It is able to extract sensitive information from the computers including the following: system components, network status, stored account credentials, installed applications and etc.

Minergate.exe Win32.Bazon Trojan – How to Remove from Your PC

4. WaterMiner Monero Miner

WaterMiner is a dangerous virus that has gained notoriety across the security community. A large-scale campaign was detected last month that impacted users worldwide. The worrying fact is that the operators behind the WaterMiner malware used a non-standard infection strategy. The dangerous code was found on gaming mods for famous games ike the Grand Theft Auto series distributed on gaming forums and communities.

The first versions were not detected by the majority of the security products. As a consequence the compromised machines were fully exposed to the hackers. Once the first infections have taken place an automated attack sequence is started. Based on the hardcoded commands the engine can be used to deliver several payloads at once, including the WaterMiner itself.

A total of 11 miner files are loaded into various temporary folders which makes it very hard to manually remove the threat. WaterMiner uses the available computer resources to mine the Monero currency. It is possible that a Russian hacker or criminal collective is behind the infections.

WaterMiner Monero Miner Is the Newest Cryptocurrency Malware

5. Browser Extension Cryptocurrency Miners

Computer hackers have started to bundle miner malware into counterfeit browser extensions. A recent example is the Quick Searcher CPU Miner which is featured on the software repositories of some of the most popular web browsers (such as Mozilla Firefox or Google Chrome). The virus plugins can also be installed via infected software installers downloaded from hacked or hacker-operated download portals. It is believed that some of the versions associated with these addons use code from famous instance like Coinhive. At the onset of infection a series of prerequisite tasks can be executed to prepare the miner or deploy additional payloads (Trojans, adware or ransomware).

Quick Searcher CPU Miner Removal Guide

The Consequences of the Cryptocurrency Miners Infections

Crypto miners are the latest hit in the hacker communities. They take advantage of the numerous infiltration strategies that are used by the viruses. In most cases the miners themselves are not delivered stand alone but come rather as a secondary payload during the infection sequence of most viruses.

Notable exceptions are when hackers bundle them in web pages, ad networks or browser hijacker code. This is an intentional act. In other cases site administrators can include the code in order to generate revenue. This can be interpreted as a sort of donation from the site visitors. A notable case was a Pirate Bay proxy site that included a miner in its home page. Whenever a site wanted to access the torrent tracker their computer resources were used to run the software and thus generate revenue for the site operators.

The miners can also be delivered in mass infection strategies, the most popular case is the use of vulnerability exploits. A large-scale attack was initiated in May 2017 when hacker collectives launched a worldwide malware attack set against unpatched Microsoft Windows web servers. The key feature when it comes to the miners is that they can be used to gain not only Bitcoins but also alternative currency such as Monero or Ethereum.


As always we urge computer users to rely on a trusted and quality security solution which is capable to protect their systems and remove active infections with a few mouse clicks.

Download

Malware Removal Tool


Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

Avatar

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...