Threat Spotlight: Cryptocurrency Malware
« Back to Blog

Threat Spotlight: Cryptocurrency Malware

By Cylance Threat Guidance Team


Cryptocurrencies such as Bitcoin, Ethereum, and other altcoins have seen an increase in popularity and adoption among users and service providers. This has resulted in increasing appreciation of value in the last six months (Figures 1 & 2). Market capitalization of these virtual currencies is now pegged at around $100B (Figure 3) and continues to rise with Initial Coin Offerings (ICO) going on to fund developments of projects related to cryptocurrency.

Figure 1. Trend of Bitcoin (BTC)

Figure 2. Trend of Ethereum (ETH) Price

Figure 3. Market Capitalization of Virtual Currencies

This vast market certainly hasn’t gone unnoticed by miscreants and cybercriminals, who have already set their sights on these virtual assets as potential targets.

There are various ways one can get hold of cryptocurrency. Two legitimate ways include:

(1)    Buying cryptocurrency from online exchanges such as Coinbase, Poloniex, Bittrex, Waves etc.
(2)    Running cryptocurrency mining software

On the other hand, malware authors usually employ the following illegitimate and/or illegal tactics:

(1)    Distributing ransomware and getting paid with cryptocurrency
(2)    Use cryptocurrency-stealing malware that targets digital wallets
(3)    Compromising systems and using those resources for cryptocurrency mining

Cryptocurrency-Mining Malware

Here is some notable malware that has been found compromising systems and delivering payloads with cryptocurrency mining capabilities:

Malware Worm (Miner-C/NeksMiner.A/NightMiner-Config)

A SophosLabs researcher reported a cryptomining malware found on NAS servers back in August 2016. This malware could propagate even on mapped network shares and open file servers. Another malware sample from this variant shows that it has been active since 2015.





Like the one reported, this malware is packaged with NSIS and disguises itself by using a folder icon. If the system is set to hide file extensions from known file types (as shown in Figure 5), it can easily be mistaken for a folder. This may cause unintended execution by an unsuspecting user.

Figure 4: Folder Icon

Figure 5: Folder Option to Hide File Extensions

Once the malware runs, it copies itself as image.exe in the %USERPROFILE%\Images folder.
Along with it are the dropped files as shown below:

Figure 6. Dropped Files

•  image.exe – copy of the original malware file.

•  Different versions of cryptocurrency miner files are executed based on system architecture and CPU capability. The malware checks whether it’s running on Win64 system and runs the appropriate miner files accordingly:

- NsCpuCNMiner32.exe
- NsCpuCNMiner64.exe
- NsGpuCNMiner.exe

Figure 7a: Selection of System Architecture

Figure 7b: Selection and execution of “miner” files.

        - Pools.txt – contains the mining pool servers to join.

Figure 8: Mining Pool Servers

        - tmp.ini – contains the parameters to use in running the “miner” file including the digital wallet.

Figure 9. Digital Wallets

Running the cryptomining malware image.exe will in turn run the appropriate cryptominer files, as can be seen below (taken from Process Explorer).

Figure 10: Running Process in Process Explorer

Auto Startup Technique

To ensure this malware runs on every system startup, it adds the shortcut file image.lnk to the startup folder. It also adds the registry startup entry below:

Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value: Coin
Data: C:\Users\{username}\AppData\Roaming\Images\image.exe

Other shortcut files used on other malware variants are as follows:

o   images.lnk
o   cryptonote.lnk
o   run.lnk
o   start.lnk

Other executable filenames used:

o   CNMiner.exe
o   img001.exe
o   darknoted.exe

Worm Propagation

It is important for the malware author that this cryptocurrency mining malware spreads to as many systems as possible, in order to control a larger pool of CPU resources for “mining.” Aside from initially dropping a copy as image.scr to root directories of C and D drives, it will also try to enumerate and drop the malware copy to available system drives (C-Z), including mapped network shares and open file servers.

It also tries to share the installation folder to the network for other users, as can be seen in the code below:

nsExec::ExecToStack "$\"cmd$\" /c net share Images$_5_=$_1_:\Shared /unlimited /cache:programs"

Malware Updating

The malware will check for updates by connecting and downloading configuration files. This enables the malware author to update the digital wallet and mining servers to join. Below are examples of URLs being used to get updates.


Adylkuzz Monero Miner

A malware author will jump on anything that allows wider distribution of their cryptomining malware. Soon after the release of a huge cache of exploits from “The Shadow Brokers,” a cryptocurrency malware was found using them. In our previous blog post, we demonstrated how Adylkuzz cryptocurrency malware used the EternalBlue/DoublePulsar exploit to compromise the system and to propagate.

Proofpoint published a blog post about this malware back in May. It was theorized that the malware author may have used a bot to scan the Internet for open SMB port 445 and tried to exploit it with EternalBlue to gain a backdoor connection. Once successful, it would download the cryptocurrency miner cpuminer to mine the Monero coin. The Shadow Brokers advertised their subscription model using XMR (Monero) as opposed to BTC, which was used for previous donations.

Interestingly, Adylkuzz malware added the firewall rule shown below to block SMB port 445, effectively closing the door behind it for other potential attacks. It is believed that this was done to keep the infected system to itself and close it for any other malware targeting the same vulnerability.

cmd.exe:1772 > "netsh ipsec static add filter filterlist=block any srcmask=32 srcport=0 dstaddr=me dstport=445 protocol=tcp description=445"

cmd.exe:1692 > "netsh ipsec static add rule name=block policy=netbc filterlist=block filteraction=block"

cmd.exe:3856 > "netsh ipsec static set policy name=netbc assign=y"

EternalMiner Malware payload of SambaCry/EternalRed

Soon after, a Samba vulnerability in Linux systems was reported as SambaCry/EternalRed. A cryptocurrency malware named EternalMiner used it to propagate in the network and downloaded a payload cryptocurrency miner. Securelist published a blog on this last June.

For the exploit to be successful, it requires guest accounts to have write access to Samba Share or the attacker having access to valid credentials. Once successful, the malware will identify network shares; upload the malware and trigger remote code execution to download the payload cryptocurrency miner cpuminer/minerd.

This miner is a modified version joining the mining pool server including a hardcoded digital wallet of the malware author. Below is the payout history of this wallet amounting to $6,847.00 in today’s exchange.

Figure 11: Payment History of the Malware Author’s Digital Wallet

Monero Cryptocurrency

Monero (XMR) coin has seen increased interest lately due to its technology of being an ‘untraceable’ coin. It boasts of having stealth addressing and being secure, private and untraceable. “Mining” Monero coin is still profitable, which is why it’s the current cryptocurrency of choice.


Figure 12: Monero (XMR) value in USD

One way to mine Monero cryptocurrency is to join a mining community such as Moneropool. On their website, we can see how much has been mined and how much payout has been received from mining Monero coin. Looking at one of the digital wallets used by the malware author (as seen in Figure 8), the payment history shows it gathering 2,929.6 XMR, which is roughly around $115,000 in today’s rate.

Figure 13. Payment History

Figure 14. Payment Transactions

Impact to User

It is worth noting that infected users will likely not notice the cryptocurrency mining malware running in the background on their machine. Symptoms that may be noticed are a sluggish system or a degradation of server performance due to computational resource usage in mining cryptocurrency.

Although “mining” a cryptocurrency may be benign in the sense that the end user is not harmed, a compromised system is still at risk for potential introduction of other malware. The malware author may also take advantage of the backdoor installed for other purposes, or may leave the vulnerability open for other attacks.

And of course, malware authors are not concerned with writing robust software designed to exit gracefully in the event of an error. The unintended loss of data from a system crash is always a real possibility.


Continued profitability in mining cryptocurrency will pave the way for an incremental increase in cryptocurrency-related malware attacks. We also anticipate a new wave of malware worms and bots motivated to distribute cryptomining malware.

In addition, we expect to see malware incorporating publicly-disclosed exploits and even targeting zero-day vulnerabilities for effective and widespread distribution of cryptomining malware.

If you use our endpoint protection product CylancePROTECT®, you were already protected from this attack. If you don't have CylancePROTECT, contact us to learn how our AI-driven solution can predict and prevent unknown and emerging threats.

Indicators of Compromise (IoCs)



Digital Wallet



About the Cylance Threat Guidance Team

The Cylance Threat Guidance team examines malware and suspected malware to better identify its abilities, function and attack vectors. Threat Guidance is on the frontline of information security and often deeply examines malicious software, which puts them in a unique position to discuss never-seen-before threats.