Your browser is obsolete!

The page may not load correctly.

Food for thought

Информация к размышлению

Other issues in this category (28)
  • add to favourites
    Add to Bookmarks

How much was mined in 2018?

Read: 9487 Comments: 2 Rating: 8

Wednesday, February 6, 2019

Surely 2018 was the year of mining. Of course, other malicious programs have been evolving and proliferating in large numbers too. But it was rogue miners that received the most extensive media coverage. Attackers expected to make a ton of money. Now that the year has passed, it's time to see how much money their mining actually yielded.

Researchers identified 2,341 Monero addresses belonging to criminals.


That doesn't look like much, especially if you consider how many rogue miners are created on a daily basis. So it appears that although the cybercriminals are few in number, their exceptional ability to generate new malware samples enables them to unleash dozens or even hundreds of new malicious programs (using the same wallets) every day. And it can happen like this:

A custom covert miner build is for sale.

It is tailored to work with Minergate, but you can change the mining component and use it with whatever you wish.

The kit comes with the following:

  1. A Trojan (27.5kb) that covertly installs the rogue Miner + source code
  2. Worker (24kb), which updates the mining module's launching parameters by downloading them from a remote server and makes sure that it launches at startup + source code
  3. A mining module (actually, you can incorporate any other similar module; the instructions for doing that are also available)
  4. A manual on how to use a crypter for free
  5. Tips on how to maximize the time during which the mining module and the worker remain undetected by anti-viruses

Perfect for bundling, the Trojan will run for just a couple of seconds, while the mining module and the worker are disguised as popular legitimate applications and reside in system directories

Price: RUB 200.

And here is another one:


The price appears on the first search result page generated in response to a simple query. No darknet needed!

Why Monero (XMR)? Just because that's their favourite coin:

  • As many as 84% of the malicious programs examined mine Monero.


But those are the technical details. What did the criminals actually gain?

Over 50% of the wallets (1,278 addresses) never stored more than 0.01 XMR (about 1.27 USD).

Surprising, right? Especially when compared with our expectations. Yes, mining botnets do exist, but there aren't too many of them—most drew media attention and haven't been shut down completely only because users neglect to install and update their anti-virus software.

But, could it be that other criminals have become the wealthiest cryptocurrency owners?

Only 99 criminal-owned wallets contained over 1,000 XMR (126,500 USD); only 16 wallets held 10,000 XMR (1,260, 000 USD).


Over 13 million out of the known 23 million wallets store less than 1 BTC, and only 1,500 wallets store 1,000-10,000 bitcoins. And only 111 wallets store more than 10,000 coins.


So, yes, it looks like a significant number of cryptocurrency millionaires are probably criminals.

Smominru has already infected over 526,000 computers—most of these are Windows-running servers that haven’t had security updates installed on them. Since May 2017, it has mined 8,900 Monero tokens ($3.6 million). New nodes are brought into the botnet by leveraging the Windows exploit EternalBlue, which was created by the US National Security Agency (NSA).

The Smominru command and control infrastructure makes use of SharkTech's hosting and DDoS protection services. The company was notified about the abuse but reportedly didn't respond to the notifications.

According to researchers, as many as 25 hosts were launched to look for vulnerable machines on the Internet. Furthermore, threat actors are also using another leaked exploit from the NSA—EsteemAudit (CVE-2017-0176).

Source 1, 2

Discovering rogue miners in a system on your own is not easy. Even an IT professional may find the task very challenging. Rogue miners conceal their processes well and restrict their CPU usage when necessary.

Meanwhile, Dr.Web deals with them easily. It detects the aforementioned Trojans as Trojan.BtcMine.1559 and Trojan BtcMine.1505 and removes them without interfering with the system's operation.

#mining #bitcoin #malware

The Anti-virus Times recommends

Don't want others to become millionaires at your expense? Install an anti-virus, keep it up to date, and don't forget to renew your license. Despite what many people think, no anti-virus can operate effectively without updates.


Tell us what you think

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.