Riskware/CoinMiner

description-logoAnalysis



Riskware/CoinMiner is a generic detection for a Riskware. Since this is a generic detection, malware that are detected as Riskware/CoinMiner may have varying behaviour.
Below are examples of its behaviours:

  • This detection is based on a characteristics mostly involved in Bitcoin mining tools. These tools have been found to be used by attackers implanted on unsuspecting users, utilizing the host machine as possible bitcoin miners.

  • This Riskware may come in various form like Win32, Javascript, or MSI installers, but either of which the main functionality is to implant bitcoin mining.

  • Below are some dropped files observed for some samples of this Riskware:
    • %AllUsers%\Microsoft\Windows\Start Menu\Programs\Startup\gdlhost.lnk
    • %AllUsers%\Windows\csrs.exe
    • %AllUsers%\Windows\svchost.vbs
    • %AppData%\Local\Windows\1.bat
    • %AppData%\Local\Windows\1514594927_log.txt
    • %AppData%\Local\Windows\csrs.exe
    • %AppData%\Local\Windows\svchost.vbs
    • %AppData%\Roaming\Coresource\gdlhost.exe
    • %AppData%\Roaming\Coresource\gdlhost.vbs
    • %AppData%\Roaming\Coresource\pools.txt
    • %AppData%\Roaming\Coresource\start_64bit.bat
    • %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\gdlhost.lnk
    • %ProgramData%\Windows\csrs.exe
    • %ProgramData%\Windows\svchost.vbs
    • %Windows%\Installer\{3CCAB43F-381B-4CC1-890A-B41909843709}\gdlhost.exe
    • %Windows%\Installer\{3CCAB43F-381B-4CC1-890A-B41909843709}\icon.exe
    • %Windows%\Installer\{3CCAB43F-381B-4CC1-890A-B41909843709}\IDM6.2B.2.exe
    • %Windows%\Installer\{3CCAB43F-381B-4CC1-890A-B41909843709}\IDM6.2B.2.exe
    • %Windows%\Installer\1e4eed.msi
    Some of the above mentioned files are detected as Riskware/CoinMiner.

  • Below are some of the observable effects of this Riskware:

    • Figure 1: CoinMiner notes.


    • Figure 2: CoinMiner embedded within sites via Javascript.


    • Figure 3: Coinminer embedded within installers.

  • There were some instances that are command line utilities directly used as coin miners:

    • Figure 4: XMrig Command line utility.




recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
FortiClient
FortiAPS
FortiAPU
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2024-03-13 92.02414
2024-03-06 92.02197
2024-02-29 92.02027
2024-02-29 92.02022
2024-02-29 92.02021
2024-02-29 92.02006
2024-02-28 92.01997
2024-02-26 92.01932
2024-02-14 92.01580
2024-02-12 92.01521