Other issues in this category (55)
Cryptocurrencies remain a trending topic as many people continue to seek their fortune in mining. And while the number of new encryption ransomware samples being discovered remains roughly the same, new mining applications are mushrooming up everywhere. This inevitably results in clashes over pieces of the system resource "pie" needed for mining, and that means only one miner can come out on top.
How do rogue mining applications neutralise their competitors?
The competitors can be disabled:
After its successful installation, the malware (Trojan.Starter.7554, Trojan.BtcMine.2369 — a note by the Anti-virus Times) compiles a list of running processes and ends those that utilise a significant portion of CPU capacity; such processes include these mining applications:
Silence Carbon xmrig32 nscpucnminer64 cpuminer xmr86 xmrig xmr
Before the system gets infected, the script determines what kind of CPU is being used in the system (32-bit or 64-bit) and downloads the relevant malicious files.
Interestingly, the mining application's files, hpdriver.exe and hpw64, are disguised as HP device drivers.
But what can a rogue program do if a legitimate mining application has been installed by a user and is running in the infected system? Naturally, it will reconfigure it.
IBM security researchers discovered that the Trojan TrickBot (Trojan.Trick.45194 — a note by the Anti-virus Times) uses web injections to change the wallet address and thus redirect payments to the attackers' wallet.
Meanwhile, Android Trojans use their old trick—they display a fake dialogue on top of a legitimate application window and thus lure users into sending their money to criminals.
Some Trojan strains, such as ExoBot, BankBot, Marcher and Mazar (Android.Banker.165.origin and other Android Trojans– the note by the Anti-virus Times) can determine what applications are currently running on a device and display an appropriate fake window on top of an application's interface. The fake UI elements can be hardcoded into the Trojans or downloaded whenever necessary. According to IBM, the Trojans use this technique to steal funds in Bitcoin, Cash, Ethereum, Litecoin, Monero and other cryptocurrencies.
Paying with cryptocurrencies can be hazardous too.
Security researchers discovered the new malware ComboJack (an entire malicious software suite incorporating a variety of programs includingTrojan.ClipSpy.25) which can detect when a recipient cryptocurrency wallet address is being copied to the Windows clipboard and swap the address for the address of the attackers' wallet.
According to Palo Alto Networks, ComboJack can detect when a wallet address appears in the clipboard. It is worth mentioning that in addition to such cryptocurrencies as Bitcoin, Litecoin, Ethereum and Monero, it can also steal money from addresses belonging to such online payment systems as Qiwi, Yandex.Money and WebMoney (both dollar and ruble payments).
The Trojan's distribution scheme is rather complex: attackers send emails to potential victims that supposedly contain scanned copies of those victims’ lost IDs. The emails have a PDF document attached to them.
If a user downloads and opens the file, an RTF file is actually opened in Microsoft Word. The document incorporates an HTA element that attempts to leverage the DirectX vulnerability CVE-2017-8579.
Many users believe that the anti-viruses installed on PCs running mining applications do more harm than good (after all, they slow down their performance!). But without anti-virus protection, users may end up losing everything they've been mining and have just an electric bill to pay. Configuring an anti-virus properly seems like a better solution.
Add the files you don't want the anti-virus to scan onto its exceptions list.
To add your mining application onto the scan exception list, click on the icon (now it will look like this: ) , then click on the icon , and go to Settings -> Exclusions.
Important! It is not recommended to exclude application traffic from scanning. Otherwise, if a program downloads malware, the anti-virus won't be able to detect it while the download is in progress.