This article aims to help you detect and remove the newly emerged fileless bitcoin miner malware and protect your computer.
Bitcoin is a digital cash system. The difference between using bitcoin and using regular money is that bitcoins can be used without having to link any sort of real-world identity to it. Bitcoin mining is a process by which transactions are verified and added as a blockchain. This process is extremely important because it keeps a bitcoin network stable, secure, and safe. This, however, hasn’t stopped cybercriminals to attack bitcoin users.
The following is an illustration of a bitcoin transaction workflow.
An overview of the bitcoin miner malware
The term “Bitcoin-miner malware” is used to refer to a malware that cybercriminals use to install bitcoin miners in a user’s system without their consent. At Quick heal, we have observed that most of the malware belonging to this category are fileless.
What is a fileless malware?
A fileless malware is a variant of a malicious code which affects your system without dropping any file. A fileless malware is written directly to the targeted computer’s working memory, called RAM. And its code is injected into running processes such as iexplore.exe (the main executable of Internet Explorer Browser).
How does a bitcoin miner spread and infect?
The bitcoin miner malware spreads through various methods such as email attachments and compromised websites. They may be dropped or downloaded by other malware. Users surfing malicious websites may also unknowingly download these on their system. We have also seen Tweets with malicious shortened links clicking on which can download such malware. Cybercriminals have also been seen exploiting a certain network vulnerability in order to infect a user’s system with the bitcoin miner malware.
Once the bitcoin miner malware is installed on a user’s system, it forces the infected system to generate bitcoins or to join a mining pool without the user’s knowledge.
The exact infection method of this mining malware is not clear, however, it may affect your computer because of the execution of multiple types of malware (Trojans, worms, and other malware) which may have previously infected your computer. The methods of distribution and infection may vary depending on the type of malware.
If you notice your computer slowing down suddenly, it might not just be a sign that your machine is infected but it could also mean that it is generating bitcoins for someone else (an attacker). According to the telemetry received by Quick Heal Security Labs, the bitcoin miner malware mostly spreads through browsers, brute force attacks, denial of service (DoS) and worms.
How to detect a bitcoin miner malware
It is difficult to detect a bitcoin miner malware as it is fileless. Following are the symptoms of a bitcoin miner malware attack on a computer.
- The system overheats
- CPU and GPU usage is higher than usual
- The system slows down drastically
- The system’s hardware might stop functioning normally – this signals sustained mining
Quick Heal detection
Quick Heal Security Labs has successfully detected millions of bitcoin miner malware. The following graph represents the detection stats of this malware.
How to remove bitcoin miner malware
Follow these steps:
- Reset your browser
- Use an antivirus as Quick Heal
- Clean your Windows registry using tools such as Quick Heal PCTuner
How Quick Heal protects its users from these threats
- Quick Heal offers multilayered detection (static and dynamic) against such threats.
- With its next-gen module behavior-based detection system, Quick Heal actively keeps a watch on such malicious activities.
- Quick Heal blocks and prevents users from visiting malicious websites, protecting them from downloading any malicious files unknowingly.
Subject matter expert
Atithi Jalgaonkar | Quick Heal Security Labs