Your browser is obsolete!

The page may not load correctly.

Evil Kitchen

Темная кухня

Other issues in this category (11)
  • add to favourites
    Add to Bookmarks

Buy our mining application now, and get an anti-virus for free!

Read: 107 Comments: 3 Rating: 5

We often write about rogue mining applications, which is hardly surprising since they’ve become a major trend in the evolution of malware.

And you'll probably ask: what does malware have to do with mining? Indeed, if you use your PC's hardware for mining, there is nothing wrong about it. But let's take a look at the features of one popular mining application currently available on the market.

Its developers warn buyers that the application is meant to be used on their own computers and offer buyers this end-user license agreement:

All the information is provided solely for evaluation purposes. The developer cannot be held responsible for any possible damage caused by this software (hereinafter, the Program).

The developer doesn't encourage users to break the law.

Under no circumstances shall the developer be held responsible for any direct, consequential or any other damage resulting from the use of the Program.

By using this Program, you agree to the Disclaimer terms and accept full responsibility for any consequences that may arise from using the Program.

The Program is being sold solely to make users familiar with the operation of mining applications and to help protect systems from rogue mining.

A nice attempt to avoid prosecution! However, the list of available features ruins the good impression:

#drweb

#drweb

It makes one wonder why a user, who has purchased the software to run it on their own computer (as stipulated in the agreement), would need the application to operate covertly, protect itself from deletion and hide its process so that it doesn't appear in the Task Manager? Of course, the miner shouldn't interfere with the user experience… A miner bot control panel? Well, perhaps, the user has a small home network and wants to control all miner installations remotely.

But that's just the tip of the iceberg. Let's see, what else the usability-conscious developer can offer:

  • Overwrite protection (prevents other users of the application from installing it on a PC that already has a miner installed on it);
  • When launched, the miner's loader is deleted automatically, and the mining application remains rooted in the system;
  • The ability to use the application with a crypter (and even download unique encrypted builds over FTP).
  • All application files and folders are placed in hidden system directories;
  • Fake start-up error messages with customisable message text;
  • The application suspends its operation temporarily while a Task Manager or other similar programs are running;
  • Three-tier protection preventing the mining processes from being terminated;
  • Automatic recovery after deletion;
  • The option to disable the Task manager or other similar programs;
  • The ability to masquerade as legitimate processes;
  • The application's files remain invisible even if the option to show hidden system files has been enabled.

As you can see, the mining application is designed to persist in a system and remain hidden from users for as long as possible. To accomplish this, it can adjust its CPU and video-adapter usage by suspending its operation when other resource-consuming applications are running and going full throttle when no other tasks are being performed in the system.

And there’s even more. The premium package also includes the stealer and clipper modules.

As the name suggests, the former steals user data, including passwords, browsing history, cookies and other sensitive information that an attacker may find useful.

Meanwhile, the clipper can modify data in the clipboard. It can be used to alter a digital wallet ID (while a user is copying it into a web form to transfer money online, the ID is replaced with another ID so that the money ends up in the attackers' wallet).

So it turns out that threat actors not only use other people's computers to mine cryptocurrencies but also steal their passwords and change their wallet IDs. Moreover, the miner can be used to set up a real botnet and offers tools to control bots on infected devices.

This business is fully automated. A Telegram bot is used to sell the application. Customers can also take advantage of the technical support service, while the portfolio of additional client services might be a source of envy for many IT companies.

For example, the Telegram bot can provide customers with mining statistics from remote computers, help them configure the application, create a custom build with a required set of features, merge the malware files with other files to hide the malware, encrypt them to make it harder for an anti-virus to detect them, and even provide customers with lifetime access to a commercial anti-virus scanner(!).

That's customer care alright!

But let's get back to Earth. Despite the disclaimer, some features of the application, especially when bundled with the additional modules, are downright malicious.

#malware #mining #botnet

Dr.Web recommends

  1. If you are interested in mining, bear in mind that some mining applications aren’t as harmless as they appear. We must not forget that not all virus writers are professionals in the field of programming, and their "creations" can damage the data on your computer.
  2. To prevent rouge miners from harnessing your hardware, configure your anti-miner protection properly. Here, our handbook may come in handy for you.

Rate this issue and receive Dr.Weblings! (1 vote = 1 Dr.Webling)

Sign in and get 10 Dr.Weblings for sharing the link to this issue via social media.

[Twitter]

Unfortunately, due to Facebook's technical limitations, Dr.Weblings cannot be awarded. However, you can share this link with your friends for free.

Tell us what you think

Leave your comment on the day of publication and get 10 Dr.Weblings, or get 1 Dr.Webling for a comment posted any other day. Comments are published automatically and are reviewed by a moderator. Rules for leaving comments about Doctor Web news items.

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.

Comments