⚠️ Overview

xmrig is an open-source cryptocurrency mining software first released by developer "xmrig" in 2017, primarily designed for legitimate Monero (XMR) mining. However, it has been widely repurposed as a cryptojacking tool by threat actors who deploy it without user consent, categorizing it under the malware subtype of miner or Trojan.Miner. According to MITRE ATT&CK, this activity maps to technique T1496: Resource Hijacking.

🔧 Technical Capabilities

xmrig operates as a standalone executable that can be launched with command-line arguments or a JSON configuration file specifying coin type, pool URL, wallet address, and thread count. It performs CPU-based mining using the RandomX proof-of-work algorithm for Monero and supports multiple mining pools including SupportXMR, MineXMR, and Nanopool. Attack vectors include drive-by downloads, malicious installers bundled with cracked software, and phishing attachments. Once executed, xmrig establishes a persistent connection to a mining pool over TCP port 443 or 8443 (using TLS), sending hashing results and receiving job assignments. Persistence is often achieved via scheduled tasks, Windows Registry Run keys, or cron jobs on Linux. Evasion techniques include renaming the executable (e.g., svchost.exe), using process hollowing, and obfuscating configuration strings to avoid static detection. Some variants employ user-mode rootkit capabilities to hide process activity from task managers.

📜 History & Notable Incidents

xmrig first appeared in public GitHub repositories in May 2017 and quickly gained popularity. In 2018, a campaign named SmokeLoader delivered xmrig via malicious ISO files, affecting thousands of hosts globally. In 2021, the Jofish cryptojacking campaign leveraged xmrig and exploited the Log4j vulnerability (CVE-2021-44228) to deploy miners on enterprise servers. No high-profile law enforcement actions have specifically targeted xmrig operators, as the software itself remains legal. Multiple vendor advisories from Cisco Talos, Palo Alto Networks, and Trend Micro document its misuse.

🔍 Detection Indicators

Commonly observed file hashes for xmrig include SHA256: e2d8a... (varies by version). Behavioral indicators include sustained high CPU usage (90–100%) on all cores, anomalous outbound traffic to mining pool domains such as pool.supportxmr.com, and the presence of configuration files named config.json in user temp directories. Network IOCs include connection attempts to IP ranges associated with known mining pools, often on ports 3333, 4444, 5555, or 443. Registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun may reference miner executables.

☠️ Risk & Impact

The primary risk is resource hijacking, leading to increased power consumption, hardware degradation, and reduced system performance for legitimate tasks. Financial losses are incurred from higher electricity bills and potential cloud overage charges in enterprise environments. Affected sectors include education, government, and healthcare, where underutilized servers are targeted for cryptomining operations.

🛡️ Mitigation

Defenders should implement application whitelisting to block unauthorized executables, monitor for anomalous CPU usage spikes, and maintain network filtering rules to block known mining pool domains. Endpoint detection rules (e.g., Sigma rules for process creation events with xmrig or config.json) and disabling unnecessary scripting in web browsers can reduce infection risk. Regular patching of CVEs such as CVE-2021-44228 prevents initial access vectors.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.