On x86 systems, it injects Cryptonight miner code into a running process and launches a process monitor.
The main dropper is a Microsoft installer that checks the running environment. We will discuss that detail later in this post. This cryptocurrency mining malware is uncommon in that it drops a different miner depending on the configuration of the machine it infects. We have observed it across the globe, with the highest number of infections in Brazil, South Africa, and the United States.įigure 2: McAfee Labs heat map of WebCobra infections from September 9–13. We believe this threat arrives via rogue PUP installers. McAfee products detect and protect against this threat. McAfee Labs has previously analyzed the cryptocurrency file infector CoinMiner and the Cyber Threat Alliance, with major assistance from McAfee, has published a report, “The Illicit Cryptocurrency Mining Threat.” Recently we examined the Russian application WebCobra, which silently drops and installs the Cryptonight miner or Claymore’s Zcash miner, depending on the architecture WebCobra finds. The total samples of coin miner malware continue to grow. The following chart shows how the prevalence of miner malware follows changes in the price of Monero cryptocurrency.įigure 1 : The price of cryptocurrency Monero peaked at the beginning of 2018. The increase in the value of cryptocurrencies has inspired cybercriminals to employ malware that steals machine resources to mine crypto coins without the victims’ consent. As the malware increases power consumption, the machine slows down, leaving the owner with a headache and an unwelcome bill, as the energy it takes to mine a single bitcoin can cost from $531 to $26,170, according to a recent report. Once a machine is compromised, a malicious app runs silently in the background with just one sign: performance degradation. McAfee Labs researchers have discovered new Russian malware, dubbed WebCobra, which harnesses victims’ computing power to mine for cryptocurrencies.Ĭoin mining malware is difficult to detect.
The authors thank their colleagues Oliver Devane and Deepak Setty for their help with this analysis.
0 kommentar(er)
