Virus

Riskware/CoinMiner

Analysis



Riskware/CoinMiner is a generic detection for a Riskware. Since this is a generic detection, malware that are detected as Riskware/CoinMiner may have varying behaviour.
Below are examples of its behaviours:

  • This detection is based on a characteristics mostly involved in Bitcoin mining tools. These tools have been found to be used by attackers implanted on unsuspecting users, utilizing the host machine as possible bitcoin miners.

  • This Riskware may come in various form like Win32, Javascript, or MSI installers, but either of which the main functionality is to implant bitcoin mining.

  • Below are some dropped files observed for some samples of this Riskware:
    • %AllUsers%\Microsoft\Windows\Start Menu\Programs\Startup\gdlhost.lnk
    • %AllUsers%\Windows\csrs.exe
    • %AllUsers%\Windows\svchost.vbs
    • %AppData%\Local\Windows\1.bat
    • %AppData%\Local\Windows\1514594927_log.txt
    • %AppData%\Local\Windows\csrs.exe
    • %AppData%\Local\Windows\svchost.vbs
    • %AppData%\Roaming\Coresource\gdlhost.exe
    • %AppData%\Roaming\Coresource\gdlhost.vbs
    • %AppData%\Roaming\Coresource\pools.txt
    • %AppData%\Roaming\Coresource\start_64bit.bat
    • %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\gdlhost.lnk
    • %ProgramData%\Windows\csrs.exe
    • %ProgramData%\Windows\svchost.vbs
    • %Windows%\Installer\{3CCAB43F-381B-4CC1-890A-B41909843709}\gdlhost.exe
    • %Windows%\Installer\{3CCAB43F-381B-4CC1-890A-B41909843709}\icon.exe
    • %Windows%\Installer\{3CCAB43F-381B-4CC1-890A-B41909843709}\IDM6.2B.2.exe
    • %Windows%\Installer\{3CCAB43F-381B-4CC1-890A-B41909843709}\IDM6.2B.2.exe
    • %Windows%\Installer\1e4eed.msi
    Some of the above mentioned files are detected as Riskware/CoinMiner.

  • Below are some of the observable effects of this Riskware:

    • Figure 1: CoinMiner notes.


    • Figure 2: CoinMiner embedded within sites via Javascript.


    • Figure 3: Coinminer embedded within installers.

  • There were some instances that are command line utilities directly used as coin miners:

    • Figure 4: XMrig Command line utility.




Recommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.