Cryptocurrency Mining Malware Goes After Users Looking for Pirated Software

Recently, AhnLab warned users of cryptocurrency mining malware that are being distributed in the wild. Cryptocurrency mining malware, also known as CoinMiner malware, is going after users that are actively searching for pirated software.

As a medium to spread the malware, the attacker created a phishing site that is searchable by Google and other search engines. When the user enters a certain keyword, such as ‘HWP document program crack for Mac’ or ‘crack Autocad 2006 64 Bit Keygen,’ to look for pirated software, a phishing website will appear on the search results, as shown in Figure 1. 

Keygen, short for key generator, is a computer program that generates product licensing keys, such as serial and registration numbers, necessary to activate the software. Software cracking refers to the act of modifying codes to remove certain features, such as authentication requirements or license keys. This can be interpreted as a way to duplicate or illegally download commercial software. Thus, these two keywords were most widely used to search for pirated software.

Figure 1. Phishing website visible in Google Search results

Once the user visits the phishing site, a forged user review for the pirated software will appear. Shortly after, the user is redirected to another phishing website that is designed similarly to the official site for downloading the software. A “download” button will then appear luring users to click. When the user clicks on the button, a compressed Zip file, including an executable (.exe) file, will be downloaded.

When the user decompresses the Zip file and executes the downloaded file, Monero CoinMiner is installed without the user’s knowledge to mine cryptocurrency. This malware then disables the compromised PC’s sleep or standby mode. This is to use up the PC’s resources continuously. However, the malware automatically stops consuming resources if there is a computer program that monitors the computer resource usage in real-time to prevent detection.

AhnLab’s anti-malware product, V3, detects and blocks the CoinMiner malware using the following aliases: 

[File Detection]

Trojan/Win32.Coinloader.R341612

Trojan/Win32.Coinloader.R341624

Trojan/Win64.Coinloader.C4139545

[Behavior Detection]

Malware/MDP.Behavior.M3119

Malware/MDP.Remove.M413

As explained above, downloading programs, such as Keygens or Cracks, through search engines comes with great risk of being exposed to CoinMiner malware.

To prevent damage or infection by CoinMiner malware, the following security guidelines must be kept ▲Download official SW and contents only ▲Refrain from visiting suspicious websites or websites that are not secure ▲Maintain the latest version for all SW and apply security patches for all OS, web browsers, application programs, and Office SW ▲Maintain the latest version of anti-malware programs and running scans periodically.

Jaejin Lee, a researcher at AhnLab, said, “CoinMiner malware uses up a lot of resources from the user’s PC. Thus, it is highly recommended that the above security guidelines are followed to prevent the risk of being infected by one.” 

0 0 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments