Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.

How to analyze Crypto malware with ANY.RUN

Top malware of this type

Family
Type
Trend changes
Tasks overall
Last Seen at

Recent blog posts

post image
Well done, ANY.RUN: Our Top Cybersecurity Awa...
watchers 231
comments 0
post image
How DFIR Analysts Use ANY.RUN Sandbox
watchers 325
comments 0
post image
How to Set up a Windows 11 Malware Sandbox
watchers 1135
comments 0

What is crypto malware?

Crypto miner malware is a type of malicious software that gains unauthorized access to a computer and utilizes its resources to mine cryptocurrencies. This type of malicious activity is also known as cryptojacking. There are variants of cryptojacking that do not require the installation of malware on the device. This is usually done via a malicious script added to a website.

Mining is a process that involves complex mathematical calculations to validate and add transactions to a blockchain. In return, miners typically receive a small amount of cryptocurrency.

Crypto miner malware is not only a threat to individual users but also to companies. In a business environment, a crypto miner can infect multiple systems, leading to a significant impact on productivity and increased energy costs.

Plus, crypto miners are often implemented simply as additional modules to different malicious software. Consequently, such malware can not only mine virtual currencies, but also steal sensitive information from the machine or spy on the user.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

What can a cryptojacking malware do to a computer?

Crypto miners can significantly impact a computer's performance and lifespan due to their resource-intensive nature. Since mining involves complex mathematical calculations to validate and add transactions to a blockchain, crypto miners can consume a significant portion of the computer's central processing unit (CPU) or graphics processing unit (GPU) power, leading to slower performance, increased latency, and even system crashes in extreme cases.

Crypto miners may also consume a significant amount of network bandwidth, especially when communicating with the mining pool or the command-and-control (C2) server. This can lead to slower internet speeds and impact the performance of other network-dependent applications.

The higher use of system resources can also lead to increased power consumption, resulting in higher electricity bills. In a corporate environment, cryptojacking can cause significant business disruptions, impact productivity, and lead to financial losses.

Crypto miners can often operate in the background and employ techniques to evade detection. For example, they may reduce the mining process when the user is actively using the system or use legitimate system processes to disguise the mining activity.

How does crypto malware spread?

Crypto miners can spread in different ways, similar to other types of malware.

Phishing emails constitute the primary attack vector. Through social engineering, threat actors can get users to download and run malicious software on their system. To prevent falling victim to a phishing attack, users can analyze suspicious links and files in the ANY.RUN sandbox to quickly see if they are malicious.

Another common method of infection involves file sharing platforms. In such cases, attackers usually disguise malware as legitimate or pirated software that users may download and execute.

Attackers may also embed malicious scripts into compromised websites. Once the user visits such a website, the script begins mining using the user's device's resources.

How does a crypto miner operate on an infected system?

In order to observe the behavior of a cryptojacking malware, we can upload it to the ANY.RUN sandbox. This service will let us safely execute the malicious program in a virtual environment and study all aspects of its operation.

Crypto miner analysis ANY.RUN The malicious crypto miner executable analyzed in ANY.RUN

In this analysis session, we can see how a miner executable is distributed in the form of an .elf file, an executable format on Linux systems. After execution, the service instantly detects malicious activity and provides us with valuable insights into the malware’s behavior.

Crypto miner analysis ANY.RUN The CPU and RAM graphs indicate the miner’s presence

One telltale sign of the malware’s is a spike in the CPU and RAM usage, which is clearly shown by the sandbox.

Crypto miner analysis ANY.RUN The DNS Requests segment lists more than 270,000 entries

Additionally, the network analysis reveals how the malware makes hundreds of thousands of DNS requests.

Crypto miner analysis ANY.RUN The Suricata rule utilized for detecting the miner

Finally, the service lets us learn more about the Suricata rule used to detect this malware. It points out that the miner in question is used for mining the Monero cryptocurrency.

The most common crypto malware today

In order to prevent crypto miner infection, it is vital to stay in the know about all the currently active malware engaging in such activities. DarkGate is one example of a malware that is used by different threat actors to deliver mining software on to victims' devices. One of the most common cryptojacking payloads distributed by DarkgGate is XMRig, which can mine Monero.

There are also JavaScript-based browser miners such as CoinIMP that can be employed by criminals to mine Monero or MintMe cryptocurrencies.

Crypto miner analysis ANY.RUN This website launches cryptojacking code that mines crypto using visitors’ resources

Check out this analysis session in the ANY.RUN sandbox that features an example of a website injected with the CoinIMP miner.

Crypto miner analysis ANY.RUN A detailed description of how the mining process takes places

The operation involves obfuscated JS wrapper code, obfuscated JS miner launcher, and an XORed .wasm module. The miner configuration is hard-coded inside the JavaScript body. The JS wrapper communicates via an encrypted XOR masked WebSocket with the mining pool.

How can I detect crypto malware?

To ensure your company's safety from crypto miners and other harmful software, a layered security strategy is needed. A key part of this strategy is using malware analysis sandboxes.

ANY.RUN provides an easy-to-use cloud environment for checking files and URLs. It gives you access to various tools for threat investigation and can automatically spot malicious activity.

ANY.RUN also lets you work with malware in an isolated virtual machine, just like on your own computer, to do complex actions needed for analyzing certain malware types.

Sign up for ANY.RUN – it's free!

HAVE A LOOK AT