McAfee Labs Discover Russian Crypto Mining Malware, Correlation with Monero Price

McAfee Labs has announced the discovery of WebCobra, a Russian coin mining malware which explores victim’s computing power.

Security researcher Kapil Khade also found that a correlation between the prevalence of miner malware and changes in the price of Monero (XMR).

McAfee Labs Says Crypto Miner Malware Follows Price of Monero

The threat research division of McAfee, a leading computer security software company owned by Bitcoin enthusiast John McAfee, found what it considers to be an uncommon and hard to detect cryptocurrency mining malware.

Uncommon in that it drops a different miner depending on the configuration of the machine it infects.

Khade, with the collaboration from colleagues Oliver Devane and Deepak Setty, analyzed the Russian-born threat, dubbed WebCobra.

The malware steals victims’ machine resources as it increases power consumption while it runs silently in the background and mines cryptocurrency. Once infected, the computer warns the user of “performance degradation,” but is unable to detect the presence of the threat without up-to-date anti-malware software.

Khade argued in his post that the increase in the value of digital currencies has led to a significant increase in the use of malware for the purpose of cryptocurrency mining. The Russian crypto jacking malware seems to have a special appetite for Monero (XMR). The digital asset known for its privacy features is priced above $100 after having peaked at nearly $500 in early January 2018.

“The increase in the value of cryptocurrencies has inspired cybercriminals to employ malware that steals machine resources to mine crypto coins without the victims’ consent,” Khade notes.

The researcher shared a chart comparing the price of Monero from January 2016 to July 2018 against “coin miner malware samples.” The graphic indicates a clear correlation between the two, with unique mining malware reaching its all-time high one month after the burst of the cryptocurrency bubble earlier this year.

The use of coin mining malware seems to have picked up most recently despite a continued drop in the price of Monero and cryptocurrencies in general.

The uncommon cryptocurrency mining malware is most prevalent in the United States, Brazil, and South Africa, according to the McAfee Labs heat map of WebCobra infections from September 9–13. The software security company recently examined WebCobra. The file infector silently drops and installs the Cryptonight miner or Claymore’s Zcash miner, Khade explained.

“The main dropper is a Microsoft installer that checks the running environment. On x86 systems, it injects Cryptonight miner code into a running process and launches a process monitor. On x64 systems, it checks the GPU configuration and downloads and executes Claymore’s Zcash miner from a remote server.”

Related Reading: Checking Crypto Prices on Your Mac? Watch Out for Malware

Featured image from Shutterstock.

Source