Blog

Quick Heal Security Labs
How to detect and remove the bitcoin miner malware
February 6, 2018

  • 25
    Shares
2
Estimated reading time: 3 minutes

This article aims to help you detect and remove the newly emerged fileless bitcoin miner malware and protect your computer.

Bitcoin is a digital cash system. The difference between using bitcoin and using regular money is that bitcoins can be used without having to link any sort of real-world identity to it. Bitcoin mining is a process by which transactions are verified and added as a blockchain. This process is extremely important because it keeps a bitcoin network stable, secure, and safe. This, however, hasn’t stopped cybercriminals to attack bitcoin users.

The following is an illustration of a bitcoin transaction workflow.

Fig 1. Bitcoin transaction workflow

An overview of the bitcoin miner malware

The term “Bitcoin-miner malware” is used to refer to a malware that cybercriminals use to install bitcoin miners in a user’s system without their consent. At Quick heal, we have observed that most of the malware belonging to this category are fileless.

What is a fileless malware?
A fileless malware is a variant of a malicious code which affects your system without dropping any file. A fileless malware is written directly to the targeted computer’s working memory, called RAM. And its code is injected into running processes such as iexplore.exe (the main executable of Internet Explorer Browser).

How does a bitcoin miner spread and infect?
The bitcoin miner malware spreads through various methods such as email attachments and compromised websites. They may be dropped or downloaded by other malware. Users surfing malicious websites may also unknowingly download these on their system. We have also seen Tweets with malicious shortened links clicking on which can download such malware. Cybercriminals have also been seen exploiting a certain network vulnerability in order to infect a user’s system with the bitcoin miner malware.

Once the bitcoin miner malware is installed on a user’s system, it forces the infected system to generate bitcoins or to join a mining pool without the user’s knowledge.

The exact infection method of this mining malware is not clear, however, it may affect your computer because of the execution of multiple types of malware (Trojans, worms, and other malware) which may have previously infected your computer. The methods of distribution and infection may vary depending on the type of malware.

If you notice your computer slowing down suddenly, it might not just be a sign that your machine is infected but it could also mean that it is generating bitcoins for someone else (an attacker). According to the telemetry received by Quick Heal Security Labs, the bitcoin miner malware mostly spreads through browsers, brute force attacks, denial of service (DoS) and worms.

How to detect a bitcoin miner malware
It is difficult to detect a bitcoin miner malware as it is fileless. Following are the symptoms of a bitcoin miner malware attack on a computer.

  • The system overheats
  • CPU and GPU usage is higher than usual
  • The system slows down drastically
  • The system’s hardware might stop functioning normally – this signals sustained mining

Quick Heal detection
Quick Heal Security Labs has successfully detected millions of bitcoin miner malware. The following graph represents the detection stats of this malware.

 

Fig 2. Bitcoin miner malware detection stats by Quick Heal

How to remove bitcoin miner malware
Follow these steps:

  1. Reset your browser
  2. Use an antivirus as Quick Heal
  3. Clean your Windows registry using tools such as Quick Heal PCTuner

How Quick Heal protects its users from these threats

  • Quick Heal offers multilayered detection (static and dynamic) against such threats.
  • With its next-gen module behavior-based detection system, Quick Heal actively keeps a watch on such malicious activities.
  • Quick Heal blocks and prevents users from visiting malicious websites, protecting them from downloading any malicious files unknowingly.

 

Subject matter expert

Atithi Jalgaonkar | Quick Heal Security Labs

  • 25
    Shares

Have something to add to this story? Share it in the comments.

Quick Heal Security Labs
About Quick Heal Security Labs
Quick Heal Security Labs is a leading source of threat research, threat intelligence, and cybersecurity. It analyzes data fetched from millions of Quick Heal...
Articles by Quick Heal Security Labs »

2 Comments

Your email address will not be published.

CAPTCHA Image

  1. I have Quick Heal Internet Security License Version.
    Should I purchase Quick Heal PCTuner for to remove bitcoin miner malware ?

    Reply
    • Rajiv Singha Rajiv SinghaMarch 26, 2018 at 12:45 PM

      Hi Ravi,

      Thank you for writing in. Our support engineers would gladly help you with this issue. Please call us on our toll-free no. 1800-121-7377 or visit http://bit.ly/QHChat to chat with us online. You can also raise a ticket at http://bit.ly/Askus and we will get back to you at the earliest.

      Regards,

      Reply