Researchers at McAfee Labs have discovered a new type of Russian malware quietly mining Zcash and Monero on exploited computers around the world.
The malware “arrives via PUP installers” that drop and install either the Cryptonight Monero miner or Claymore’s Zcash miner onto a system, “depending on the architecture WebCobra finds”:
“This cryptocurrency mining malware is uncommon in that it drops a different miner depending on the configuration of the machine it infects.”
WebCobra is hard to detect, say the researchers, and once installed, the malware uses code to cloak itself:
“Once data.bin is decrypted and executed, it tries a few anti-debugging, anti-emulation, and anti-sandbox techniques as well as checks of other security products running on the system. These steps allow the malware to remain undetected for a long time.”
The only sign of infection is “power degradation”: the miner runs, “silently….consuming almost all the CPU’s resources.”
Infected machines may be unable to “sleep.” Performance usually slows and energy bills go up. All proceeds of the mining are sent to attackers’ digital wallets.
While the costs of mining by malware are close to nil, researchers at Elite Fixtures recently found that mining one Bitcoin can cost legitimated producers between $531 and $26,170 USD.
A majority of WebCobra infections are now taking place in the US, Brazil and South Africa, says McAfee.
WebCobra infections have also been found, however, in Russia, Indonesia, the Philippines, India, Northern Europe, India, Pakistan, Turkey, the Ukraine and in several African countries.
Like other cybersecurity researchers, McAfee Labs has concluded that crypto mining malware attacks are too attractive to soon go away.
Crypto malware attacks can be profitable while being far less dangerous and confrontational than ransomware attacks where a victim’s data and systems are locked up and a ransom in cryptocurrency demanded:
“Coin mining malware will continue to evolve as cybercriminals take advantage of this relatively easy path to stealing value. Mining coins on other people’s systems requires less investment and risk than ransomware, and does not depend on a percentage of victims agreeing to send money. Until users learn they are supporting criminal miners, the latter have much to gain.”