Anti-Virus Vendor Warns of Monero Trojan

Announcements, Crime, FinTech, News | June 22, 2017 By:

A Trojan program developed the US National Security Agency may be exploiting users of Windows operating systems for Monero mining.

The Doctor Web anti-virus software vendor posted on its blog that the malicious program, designed for mining the Monero (XMR) cryptocurrency, was dubbed Trojan.BtcMine.1259.Trojan.DownLoader24.64313.  The software downloads the miner to a computer. The loader Trojan is then distributed via the backdoor DoublePulsar.

According to Doctor Web:

 “Trojan.BtcMine.1259 checks whether its copy is running on the infected computer. Then it determines the number of kernels present; if the number is greater or equal to the number of threads specified in the Trojan’s configuration, it decrypts the library stored in its body and loads it into the memory. This library is a modified version of a remote administration system with open source code. This system is known as Gh0st RAT (Dr.Web Anti-virus detects it as BackDoor.Farfli.96).

Then Trojan.BtcMine.1259 saves its copy on a disk and runs it as a system service. Once launched, the Trojan attempts to download its update from the command and control server, the address of which is indicated in the configuration file.

The main module designed for mining the Monero cryptocurrency is also implemented as a library, and the Trojan contains both 32- and 64-bit versions of the miner. The respective implementation of the Trojan used on the infected computer depends on the bitness of the operating system. This module’s configuration indicates how many of the processor’s kernels and computing resources will be used for cryptocurrency mining, the intervals with which the miner will automatically restart, and other parameters. The Trojan tracks running processes on the infected computer and shuts itself down when an attempt is made to launch the Task Manager.”

Signs of Trojan.BtcMine.1259 includes an overheating CPU. Dr. Web claims its anti-virus software can remove the malware.

More about this Trojan