June 15, 2017
This malicious program, designed for mining the Monero (XMR) cryptocurrency, was dubbed Trojan.BtcMine.1259. Trojan.DownLoader24.64313 downloads the miner to a computer. This loader Trojan is distributed via the backdoor DoublePulsar.
Once launched, Trojan.BtcMine.1259 checks whether its copy is running on the infected computer. Then it determines the number of kernels present; if the number is greater or equal to the number of threads specified in the Trojan’s configuration, it decrypts the library stored in its body and loads it into the memory. This library is a modified version of a remote administration system with open source code. This system is known as Gh0st RAT (Dr.Web Anti-virus detects it as BackDoor.Farfli.96). Then Trojan.BtcMine.1259 saves its copy on a disk and runs it as a system service. Once launched, the Trojan attempts to download its update from the command and control server, the address of which is indicated in the configuration file.
The main module designed for mining the Monero cryptocurrency is also implemented as a library, and the Trojan contains both 32- and 64-bit versions of the miner. The respective implementation of the Trojan used on the infected computer depends on the bitness of the operating system. This module’s configuration indicates how many of the processor’s kernels and computing resources will be used for cryptocurrency mining, the intervals with which the miner will automatically restart, and other parameters. The Trojan tracks running processes on the infected computer and shuts itself down when an attempt is made to launch the Task Manager.
Despite the fact that the first mining Trojans were detected over six years ago (the signature for Trojan.BtcMine.1 was added to the Dr.Web virus databases in 2011), cybercriminals are still spreading malicious programs that use computer resources without user knowledge. Signs that a computer is infected with such a program may include a system slowdown or an overheating CPU. Trojan.BtcMine.1259 and all its components are successfully removed by Dr.Web Anti-virus and, therefore, pose no threat to our users.
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.