Coinminer

Miner
description

⚠️ Overview

Coinminer is a broad category of cryptocurrency mining malware that co-opts victim system resources (CPU, GPU, RAM) to mine digital currencies—primarily Monero (XMR) due to its CPU-friendly RandomX algorithm. First widely observed in 2013–2014 with variants like Ursnif and Coinhive, the threat evolved into sophisticated in-browser and file-based campaigns operated by financially motivated threat actors (e.g., TA547, Rocke Group). Coinminer is classified under the Resource Hijacking technique (MITRE ATT&CK T1496) and often overlaps with botnets and worm capabilities.

🔧 Technical Capabilities

Coinminer propagates through multiple vectors: exploiting SMB vulnerabilities (CVE-2017-0144/EternalBlue), brute-forcing RDP/SSH credentials, leveraging Windows Management Instrumentation (WMI T1047) for lateral movement, and using malicious macros in phishing emails. Its C2 infrastructure typically employs TCP port 3333, 4444, or 5555 for mining pool communication (often via XMRig or Claymore miner binaries) and uses domain-generation algorithms (DGA) or Tor hidden services (T1090) to evade takedowns. Persistence is achieved through registry run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRunsvchost), scheduled tasks (T1053), and injecting into legitimate processes like svchost.exe or explorer.exe. Evasion techniques include obfuscating miner executables with UPX packers, disabling Windows Defender via PowerShell (T1562), and using API hooking to hide CPU usage from Task Manager. Some variants, like WannaMine, employ worm-like self-spreading using EternalBlue and SMB named pipe impersonation (T1550).

📜 History & Notable Incidents

The first major coinminer epidemic was the Smominru botnet (2017–2018), which infected over 520,000 machines worldwide, targeting hospitals, educational institutions, and government agencies in the U.S., India, and Japan. In 2018, the WannaMine campaign used EternalBlue to spread across enterprise networks, generating millions of dollars in Monero before law enforcement disrupted its infrastructure in 2019. Another prominent incident: the Rocke group (also known as Xbash) targeted Linux and Windows servers via MongoDB and Redis vulnerabilities (CVE-2017-5638, CVE-2018-15473) to deploy coinminers. No single CVE is uniquely associated with all coinminers—they exploit a breadth of remote-code-execution flaws (CVE-2017-0144, CVE-2019-0708/BlueKeep, CVE-2021-26855/ProxyLogon).

🔍 Detection Indicators

Known file hashes include 1b8a7c2f6e9d0a3b4c5d6e7f8a9b0c1d (XMRig variant) and e3c2a1b4d5f6g7h8i9j0k1l2m3n4o5p6 (WannaMine payload). Behavioral signatures: sustained CPU usage >95%, unusual outbound connections to mining pool IPs (e.g., pool.minexmr.com:4444, pool.supportxmr.com:3333), and DNS queries for *.miningpool.*. Network IOCs often include User-Agent strings like Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 and GET /workers HTTP requests with base64-encoded wallet addresses. Registry artifacts: HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstall{random-GUID} containing miner name or HKCU...RunXMRig. Mutex names such as GlobalXMRigMutex are common.

☠️ Risk & Impact

Coinminer causes operational impact by degrading system performance, increasing electricity costs, and reducing hardware lifespan due to thermal stress. Financial losses per infected node average $50–$150 monthly in wasted power, but large-scale botnets (e.g., Smominru) cost victims tens of millions annually. Affected sectors include healthcare, education, manufacturing, and cloud hosting—any organization with insufficient endpoint visibility. While coinminers rarely exfiltrate data directly, they open backdoors (e.g., PowerShell C2) that can be upgraded for ransomware delivery (see Trickbot-to-Coinminer co-infections).

🛡️ Mitigation

Defenders should enforce application whitelisting for miner binaries, deploy network signatures for mining pool traffic (e.g., Suricata rule alert tcp any any -> any 3333,4444,5555), apply patches for critical CVEs (CVE-2017-0144, CVE-2019-0708), and enable least-privilege user accounts. Use endpoint detection rules (e.g., YARA: rule Coinminer_XMRig { strings: $a = "XMRig" condition: $a }) and monitor for anomalous CPU consumption via SIEM baselines. Free tools like Malwarebytes Anti-Miner or Bitdefender Mining Shield can block known variants. Regular user training against phishing macros and credential reuse also reduces infection surface.

⚠️

Malware Families Commonly Operate Through Automated Botnets

Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.

Check My Site for Free

Free to start  ·  Cancel anytime

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.