Riskware/CoinMiner
Analysis
Riskware/CoinMiner is a generic detection for a Riskware. Since this is a generic detection, malware that are detected as Riskware/CoinMiner may have varying behaviour.
Below are examples of its behaviours:
- This detection is based on a characteristics mostly involved in Bitcoin mining tools. These tools have been found to be used by attackers implanted on unsuspecting users, utilizing the host machine as possible bitcoin miners.
- This Riskware may come in various form like Win32, Javascript, or MSI installers, but either of which the main functionality is to implant bitcoin mining.
- Below are some dropped files observed for some samples of this Riskware:
- %AllUsers%\Microsoft\Windows\Start Menu\Programs\Startup\gdlhost.lnk
- %AllUsers%\Windows\csrs.exe
- %AllUsers%\Windows\svchost.vbs
- %AppData%\Local\Windows\1.bat
- %AppData%\Local\Windows\1514594927_log.txt
- %AppData%\Local\Windows\csrs.exe
- %AppData%\Local\Windows\svchost.vbs
- %AppData%\Roaming\Coresource\gdlhost.exe
- %AppData%\Roaming\Coresource\gdlhost.vbs
- %AppData%\Roaming\Coresource\pools.txt
- %AppData%\Roaming\Coresource\start_64bit.bat
- %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\gdlhost.lnk
- %ProgramData%\Windows\csrs.exe
- %ProgramData%\Windows\svchost.vbs
- %Windows%\Installer\{3CCAB43F-381B-4CC1-890A-B41909843709}\gdlhost.exe
- %Windows%\Installer\{3CCAB43F-381B-4CC1-890A-B41909843709}\icon.exe
- %Windows%\Installer\{3CCAB43F-381B-4CC1-890A-B41909843709}\IDM6.2B.2.exe
- %Windows%\Installer\{3CCAB43F-381B-4CC1-890A-B41909843709}\IDM6.2B.2.exe
- %Windows%\Installer\1e4eed.msi
- Below are some of the observable effects of this Riskware:
- Figure 1: CoinMiner notes.
- Figure 2: CoinMiner embedded within sites via Javascript.
- Figure 3: Coinminer embedded within installers.
- There were some instances that are command line utilities directly used as coin miners:
- Figure 4: XMrig Command line utility.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |