Where are the gray miners hiding?

The problem of gray mining still remains relevant, and miners are becoming more sophisticated. Let's try to figure out how they disguise themselves after infiltrating a user's computer.

Many gray miners are quite primitive - they use all available resources of the victim’s equipment, thereby giving away their presence, without disguising themselves in any way. This makes them very easy to identify and remove from the system. But attackers are becoming more insidious every day and are coming up with more and more cunning ways to avoid detection. Let's try to figure out how gray miners hide from the watchful eye of antiviruses and attentive users.

How does it work?

One of the first fairly neat malware was Trojan.BtcMine.1259, which targeted computers running Windows and its main purpose was to mine Monero on infected equipment. 

Immediately after starting, it checks whether the system is infected and installs a fairly serious Trojan, Gh0st RAT, designed to completely control the victim’s system. Next, it checks the number of processor cores and only if the processing power of the processor was greater than a specified value, it launches the miner, using not all the available power, but only a certain percentage, so as not to give away its presence. Thus, the miner does not run on too “weak” equipment, on which its work would be easy to notice, although it continues to be used as a link in the botnet for other purposes of attackers. At the same time, the Trojan monitors current processes and, when the task manager is launched, it terminates the miner, and after closing the task manager window, it starts it again.

Another method of self-defense for miners (for example, Trojan.BtcMine.1978) is to launch it as a critical process, when forced to terminate, the system crashes into BSoD (“Blue Screen of Death”). Thus, security specialists from the company “360 Total Security” discovered the WinstarNssmMiner miner is embedded in the svchost.exe system process, simultaneously launching a Monero miner and a parallel process that monitors the activity of antiviruses and process and resource monitoring programs. The tracking process disables the miner when Kaspersky or Avast antivirus is launched. When running other antiviruses, the Trojan bombards the user with system error messages, blocks the operation of programs and the system, and in some cases even crashes the system in a BSoD.. According to experts, in the first 3 days of operation, the miner mined 133 Monero coins (which at the current rate is about 17,000 USD).

A few days ago, Bleeping Computer portal analyst Lawrence Abrams described a Trojan "WindowsRecoveryCleaner". Its peculiarity is that it stops working when running applications whose operation may be affected by its activity, and in particular popular games that require high computer performance. To do this, the Trojan creates a task with the ominous name WindowsRecoveryCleaner, which launches the Iostream.exe process once a minute, which allows the miner to start very quickly if its work is completed. 

Immediately after start, the Iostream control application embeds the miner code into the executable system file C:\Windows\system32\attrib.exe (which is used to change file attributes and ends immediately after a successful operation) and launches it. After which Iostream remains in memory and monitors the list of running processes. As soon as Process Explorer, Task Manager, Process Monitor, Process Hacker, AnVir Task Manager, PlayerUnknown's Battlegrounds (PUBG), Counterstrike: Global Offensive, Rainbox Six, or Dota 2 appears among them, it terminates its work (Iostream.exe) and the work of the miner (attrib.exe). The WindowsRecoveryCleaner system task launches the Iostream control process once a minute, which checks whether any application from the “black list” is running and, if the horizon is clear, starts the miner. This Trojan is one of the most modern and cleverly hidden from users.

Not only complex miners who burrow deep into the system learn to hide, but also simple javascript miners. So, at the end of 2017, Malwarebytes expert Jerome Segura discovered on the site yourporn.sexy browser miner code, which was executed not in the main browser window, but in a new window, which is positioned in the lower right corner of the screen (the location is calculated dynamically depending on the size of the user's screen: the horizontal position is calculated as the screen width minus 100 pixels, and the vertical position is the screen height minus 40 pixels).. 

Thus, for users with standard taskbar display settings, the miner window is hidden behind the Windows taskbar. The attacker used a modified version of the Coinhive javascript miner, which we already described in our article "A new round of gray mining - browser-based mining". The parasitic script does not use the processor at full capacity, which greatly reduces the likelihood of being detected. Due to the fact that it is hidden in a separate window, hidden from prying eyes, it continues to work even after the user closes the browser window using the "X" button.

Thus, even if you have closed all browser windows, and your computer is still actively busy with something, pay attention to whether the browser icon in the taskbar is active, and also check the list of processes in the task manager and make sure that there are no running processes of yours. browser

In order to make the miner more difficult to detect in the source code of the page and not be noticeable at first glance, the script can masquerade as Google Analytics code. This behavior was first reported by Windows Defender Security Intelligence in a post on Twiiter.

As you can see, modern gray miners are hiding better and better, often sacrificing performance. At first glance, it may seem that hackers lose a significant part of their profits. But, in fact, this is not so. After all, it is much more profitable for them to maintain a huge network of infected equipment, which constantly brings in a small income, than to be greedy and be immediately detected due to a large processor load.

Methods of “treatment.”

Even if you are not afraid of gray mining and you are not bothered by excessive loading of your device, it is imperative to completely get rid of the Trojan that has entered your territory. Modern Trojan miners do not come with the sole purpose of making money on your power; when infected, a whole complex of remote control software is installed on the device, turning your device into an obedient bot of a large network.. With its help, attackers have full access to all your files, can launch and kill any processes in the system, change their configuration, initiate any network connections, participating in DDoS attacks.

Instead of the standard process monitoring application "Task Manager" in Windows, experts recommend using "Process Explorer" from Microsoft. This program allows you to find out exactly which application is using a particular file, it will show which libraries are used by the application, show its owner and display the load on both the central and graphics processor. With the help of "Process Explorer" even a not very experienced user can identify an uninvited guest. There is also a less common (which is good because not all Trojans know about it and, accordingly, not everyone hides from it) free solution "AnVir Task Manager, which allows you to monitor all resources and processes in the system, indicating the level of their threat. For more advanced users, there are more complex complexes, for example AIDA64, which provides a comprehensive overview and diagnostics of all the features of the computer, and also monitors the state of the system in real time, that is, displays the current load on key components of the system. The advantage of this complex is that there are versions for both Windows and Android, iOS and Windows Phone.

Nowadays, most anti-virus programs and systems are able to identify and neutralize hidden miners, so to protect against them, we strongly recommend using the latest security software and browser plugins to block javascript mining. But you also shouldn’t let your guard down and always continue to monitor the health of your system yourself.