Coinminers (also called cryptocurrency miners) are programs that generate Bitcoin, Monero, Ethereum, or other cryptocurrencies that are surging in popularity. When intentionally run for one's own benefit, they may prove a valuable source of income.
However, malware authors have created threats and viruses which use commonly-available mining software to take advantage of someone else's computing resources (CPU, GPU, RAM, network bandwidth, and power), without their knowledge or consent (i.e. cryptojacking). Symantec's video What is Cryptojacking? provides a three-minute overview of this threat.
Symantec has developed robust defenses against unwanted coinminers, Symantec Endpoint Protection (SEP).
Symantec products will typically raise a warning when files related to coin mining are found or running, to bring them to an administrator's attention; though open source and widely-used, mining software may be Potentially Unwanted Applications in an enterprise environment.)
Indications that a computer is mining include:
- High CPU and/or GPU usage
- Crashes or restarts
- Slow response times
- Unusual network activity (e.g. connections to mining-related websites or IP addresses). For example, you may notice unexpected PowerShell processes connecting to IP addresses associated with xmrpool[.]net, nanopool[.]org, moneropool[.]com, and similar addresses.
Coinminers run on various platforms, including:
- OS X/macOS
- Internet of Things (IoT) devices
If Symantec Endpoint Protection (SEP) logs entries similar to those listed in Appendix B: Symantec signatures, this may indicate that a coinminer is active on the computer.
Should coinminers be stopped?
While some administrators may not consider coinminers a priority because the threat is not inherently destructive, as is the case with ransomware, the wasted resources and impact on performance is still viewed as a nuisance. Therefore, Symantec highly recommends that you take action.
Symantec Security Response has encountered coinminers which not only generate income for criminals, but also carry out other nefarious activities on the network, including theft of credentials. The presence of coinminers should also alert administrators that there are weaknesses in their environment.
Destructive forms of malware function using similar methods as coinminers. Eradicating miners and strengthening your network's defenses will help prevent other threats.
Understand the challenge
There are many different ways to force a computer or device to mine cryptocurrency. These are the three main types of miners:
- Executables - These are typical malicious or Potentially Unwanted Application (PUA) executable files (.exe) placed on the computer, designed to mine cryptocurrencies.
- Advanced Fileless Miners - As predicted, malware has emerged that performs its mining work in a computer's memory by mis-using legitimate tools like PowerShell. One example is MSH.Bluwimps, which carries out additional malicious acts in addition to mining.
Use all protection components
Coin mining executables can be caught by traditional security tools, including the following components in Symantec Endpoint Protection (SEP): Antivirus, Download Insight, Advanced Machine Learning, and SONAR. Undetected malicious executables can be discovered by SymDiag's Threat Analysis Scan. The more SEP components that are installed and enabled, the greater the chance of detecting these threats.
Browser-based miners can be detected and removed by antivirus definitions (for example, PUA.WASMcoinminer and JS.Webcoinminer). Expect repeated detections in the browser's cache location as the mining code on the webpage is likely to be reloaded as long as the computer user remains viewing that page.
Numerous signatures have been built for this purpose, so ensure that IPS is installed and enabled. Also ensure that the environment's IPS policy has been configured so that mining-related Audit signatures "Block" rather than just "Log" the traffic. As a final measure, you may need to block the website which contains the browser-based miner at the firewall.
Note: It is better to have the Intrusion Prevention System (IPS) component block these miners before they reach the computer.
Advanced fileless miners like MSH.Bluwimps are inherently difficult to detect and stop. Professional expertise from Symantec Technical Support will likely be necessary, who can provide instructions on how SEP components can be configured to block the execution of these miners.
Harden your environment
Some tips to help prevent and respond to coinminers:
- Know your environment. Be aware how frequently end users report slow performance. React and investigate for miners if complaints increase.
- Defend web servers to prevent an attacker from adding Coinhive-style mining scripts to your websites.
- Apply all available vendor patches. Many miners that gain entry to an organization can move and execute by exploiting vulnerabilities for which patches already exist.
- Monitor network logs (IPS logs, DNS logs, firewall logs) for suspicious outgoing connections to mining-related IP addresses. Block these addresses at the corporate firewall, and consider suspicious any computer that continues to access those addresses.
- Lock down RDP access and frequently replace all user passwords—especially users with admin access—with new, strong passwords.
- Run a recent release of PowerShell (5 or higher), and configure it to log detailed activity.
- Take measures to secure your computers' built-in Windows Management Instrumentation (WMI). Attackers, including those seeking to mine coins, increasingly abuse this technology. Administrators should consider creating Group Policy Objects (GPO) or firewall rules to prevent unauthorized remote WMI actions, and perhaps control access by user accounts. See Microsoft's guidance in Maintaining WMI Security.
Follow best practices
When you suspect an undetected miner, see Virus removal and troubleshooting on a network
Appendix A: Related articles
- Beapy: Cryptojacking Worm Hits Enterprises in China
- Cryptojacking Criminals Are Using Multiple Techniques to Install Coinminers
- Cryptojacking: A Modern Cash Cow
- Browser-based Cryptocurrency Mining Makes Unexpected Return from the dead
- Browser-based coin mining without a browser?
- 2018 Internet Security Threat Report
- High Noon for the Cryptominers
- Adylkuzz Cryptocurrency Miner Is Not The Next WannaCry
- IoT Worm Used to Mine Cryptocurrency
- Grappling with the ZeroAccess Botnet
- Hacking for Bitcoins: The Underground Economy, Pt. 6
- Bitcoin Botnet Mining
- Bitcoin Mining with Trojan.Badminer
Appendix B: Symantec signatures
The following catalog of signatures is not comprehensive, but provides an indication of the various definitions in place to halt unauthorized mining.
Many miners are detected under signatures such as PUA.Gen.2, Trojan.Gen.2, Trojan Horse, and other general classifications.
- JS.Webcoinminer (previously PUA.JScoinminer)
- Miner.Bitcoinminer (previously PUA.Bitcoinminer)
- Miner.Burst (previously PUA.Burstminer!s1)
- Miner.Cpuminer (previously PUA.Cpuminer!s1)
- Miner.Neoscrypt (previously PUA.Neoscrypt!s1)
- Miner.Zcashminer (previously PUA.Zcashminer)
Note: Configure Audit signatures to "Block"
- Audit: JSCoinminer Download 3
- System Infected: Miner.Bitcoinminer Activity
- System Infected: Miner.Bitcoinminer Activity 5
- System Infected: Miner.Bitcoinminer Activity 6
- System Infected: Miner.BitcoinMiner Activity 8
- System Infected: Miner.BitcoinMiner Activity 9
- System Infected: Coinminer Activity 2
- System Infected: CoinMiner Download
- System Infected: MoneroMiner Download Attempt
- System Infected: Trojan.Coinbitminer Activity
- System Infected: Trojan.Coinbitminer Activity 10
- System Infected: Trojan.Coinbitminer Activity 11
- System Infected: Trojan.Coinbitminer Activity 2
- System Infected: Trojan.Coinbitminer Activity 3
- System Infected: Trojan.Coinbitminer Activity 5
- System Infected: Trojan.Coinbitminer Activity 6
- System Infected: Trojan.Coinbitminer Activity 7
- System Infected: Trojan.Coinminer Activity 3
- System Infected: Trojan.Coinminer Activity 4
- System Infected: Trojan.Coinminer Activity 5
- System Infected: VBS CoinMiner Download
- Web Attack: Bitcoinminer Download Request 2
- Web Attack: Bitcoinminer Download Request 3
- Web Attack: CoinMiner Download
- Web Attack: JSCoinminer Download
- Web Attack: JSCoinminer Download 2
- Web Attack: JSCoinminer Download 10
- Web Attack: JSCoinminer Download 12
- Web Attack: JSCoinminer Download 13
- Web Attack: JSCoinminer Download 14
- Web Attack: JSCoinminer Download 16
- Web Attack: JSCoinminer Download 21
- Web Attack: JSCoinminer Download 22
- Web Attack: JSCoinminer Download 23
- Web Attack: JSCoinminer Download 24
- Web Attack: JSCoinminer Download 27
- Web Attack: JSCoinminer Download 34
- Web Attack: JSCoinminer Download 35
- Web Attack: JSCoinminer Download 36
- Web Attack: JSCoinminer Download 37
- Web Attack: JSCoinminer Download 38
- Web Attack: JSCoinminer Download 39
- Web Attack: JSCoinminer Download 40
- Web Attack: JSCoinminer Download 41
- Web Attack: JSCoinminer Download 6
- Web Attack: JSCoinminer Download 7
- Web Attack: JSCoinminer Download 8
- Web Attack: JSCoinminer Website
- Web Attack: Trojan.Coinbitminer Download