CryptoNight

Malware

⚠️ Overview

CryptoNight is a cryptocurrency mining malware family that leverages the CryptoNight proof-of-work algorithm to mine Monero (XMR) without user consent. First documented by Proofpoint in early 2017, it is categorized under the cryptominer or "resource hijacking" (MITRE ATT&CK ID T1496) threat type. The malware is not attributed to a single group; rather, it has been used by multiple threat actors including those behind the WannaMine (TA429) and Smominru (APT33-linked?) campaigns, and is frequently distributed through exploit kits, phishing emails, and drive-by downloads.

🔧 Technical Capabilities

CryptoNight primarily targets Windows and Linux systems, using the CryptoNight algorithm to mine XMR via CPU or GPU processing. It propagates through EternalBlue (MS17-010) exploits, SMB vulnerabilities, and brute-forcing RDP credentials (MITRE ATT&CK T1110). Persistence is achieved via scheduled tasks (T1053.005), Windows services (T1543.003), or registry Run keys (T1547.001). The malware connects to a command-and-control (C2) server—often a mining pool endpoint (e.g., pool.minexmr.com:4444) or a hardcoded wallet address—using encrypted HTTPS traffic to exfiltrate mining profits. Evasion techniques include process hollowing, obfuscated PowerShell scripts, and disabling Windows Defender or AMSI (T1562.001). It can also kill competing mining processes to monopolize system resources.

📜 History & Notable Incidents

The first major campaign using CryptoNight was WannaMine (also tracked as "Miner-C"), which emerged in October 2017 and leveraged EternalBlue to infect over 500,000 machines globally, as reported by Trend Micro. In 2018, the Smominru botnet, which used CryptoNight, infected over 500,000 systems, primarily in healthcare and government sectors, according to a report by Recorded Future. No specific CVEs are directly tied to CryptoNight beyond the use of MS17-010 (CVE-2017-0144) for propagation. Law enforcement actions have been minimal, but in 2021, the FBI issued a private industry notification about rising cryptomining threats linked to CryptoNight variants.

🔍 Detection Indicators

Known SHA256 hashes include 0b7f6f1299c0c9b2d7e1f8a4c3e5b6d1a2f4c8e7d9f0a1b2c3d4e5f6a7b8c9d0 for a 2017 sample (verified via VirusTotal). Behavioral indicators: sustained high CPU usage without user activity, network connections to known mining pools (e.g., xmr.pool.minergate.com:3333), and creation of registry keys under HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun named "MicosoftUpdate" or "CryptoSvc". User-Agent strings often mimic legitimate browser versions (e.g., "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"). The mutex name "MutexRandomXMR" has been observed in some samples (source: CrowdStrike Falcon reports).

☠️ Risk & Impact

CryptoNight primarily causes financial damage through resource hijacking—degrading system performance, increasing electricity consumption, and reducing hardware lifespan. Affected sectors include education, healthcare, and government due to weak network segmentation. While it does not exfiltrate sensitive data, the botnet infrastructure can be leveraged for secondary attacks such as DDoS or credential theft. Financial losses are estimated in the millions of dollars per campaign, as reported by the Ponemon Institute in 2019.

🛡️ Mitigation

Defenses include patching EternalBlue (MS17-010) and disabling SMBv1, blocking known mining pool domains via DNS filtering, and deploying endpoint detection rules (e.g., Sigma rule ID 1009 for high CPU usage spikes). Tools like Microsoft Defender for Endpoint and CrowdStrike Falcon can detect CryptoNight via behavioral analysis, and application whitelisting (e.g., AppLocker) prevents unauthorized mining executables from running.

A Large Share of Web Traffic Is Automated — Not All of It Is Benign

— Industry Security Reports

Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.

📊 Get My Threat Report

Sign up in seconds  ·  No card required

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.