Riskware/CoinMiner is a generic detection for a Riskware. Since this is a generic detection, malware that are detected as Riskware/CoinMiner may have varying behaviour.
Below are examples of its behaviours:
- This detection is based on a characteristics mostly involved in Bitcoin mining tools. These tools have been found to be used by attackers implanted on unsuspecting users, utilizing the host machine as possible bitcoin miners.
- Below are some dropped files observed for some samples of this Riskware:
- %AllUsers%\Microsoft\Windows\Start Menu\Programs\Startup\gdlhost.lnk
- %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\gdlhost.lnk
- Below are some of the observable effects of this Riskware:
- Figure 1: CoinMiner notes.
- Figure 3: Coinminer embedded within installers.
- There were some instances that are command line utilities directly used as coin miners:
- Figure 4: XMrig Command line utility.
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.