Analysis
Riskware/CoinMiner is a generic detection for a Riskware. Since this is a generic detection, malware that are detected as Riskware/CoinMiner may have varying behaviour.
Below are examples of its behaviours:
- This detection is based on a characteristics mostly involved in Bitcoin mining tools.These tools have been found to be used by attackers implanted on unsuspecting users, utilizing the host machine as possible bitcoin miners.
- This Riskware may come in various form like Win32, Javascript, or MSI installers, but either of which the main functionality is to implant bitcoin mining.
- Below are some dropped files observed for some samples of this Riskware:
- %AllUsers%\Microsoft\Windows\Start Menu\Programs\Startup\gdlhost.lnk
- %AllUsers%\Windows\csrs.exe
- %AllUsers%\Windows\svchost.vbs
- %AppData%\Local\Windows\1.bat
- %AppData%\Local\Windows\1514594927_log.txt
- %AppData%\Local\Windows\csrs.exe
- %AppData%\Local\Windows\svchost.vbs
- %AppData%\Roaming\Coresource\gdlhost.exe
- %AppData%\Roaming\Coresource\gdlhost.vbs
- %AppData%\Roaming\Coresource\pools.txt
- %AppData%\Roaming\Coresource\start_64bit.bat
- %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\gdlhost.lnk
- %ProgramData%\Windows\csrs.exe
- %ProgramData%\Windows\svchost.vbs
- %Windows%\Installer\{3CCAB43F-381B-4CC1-890A-B41909843709}\gdlhost.exe
- %Windows%\Installer\{3CCAB43F-381B-4CC1-890A-B41909843709}\icon.exe
- %Windows%\Installer\{3CCAB43F-381B-4CC1-890A-B41909843709}\IDM6.2B.2.exe
- %Windows%\Installer\{3CCAB43F-381B-4CC1-890A-B41909843709}\IDM6.2B.2.exe
- %Windows%\Installer\1e4eed.msi
- Below are some of the observable effects of this Riskware:
- Figure 1: CoinMiner notes.
- Figure 2: CoinMiner embedded within sites via Javascript.
- Figure 3: Coinminer embedded within installers.
- There were some instances that are command line utilities directly used as coin miners:
- Figure 4: XMrig Command line utility.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |
ID | 6883379 |
Released | Apr 23, 2018 |
Description Updated | Sep 09, 2015 |
Aliases | JS/CoinMiner.F potentially unwanted application,Application.BitCoinMiner.SX,JS/CoinMiner.A potentially unwanted application,not-a-virus:RiskTool.Win32.Generic,CoinMiner application,Win64/CoinMiner.J trojan,Troj/Miner-BP,JS/Miner.i trojan,C |
Platform Profile | Riskware is a term for potentially unwanted or dangerous software programs that do not fall under Adware. They could be legitimate software applications that may be misused and pose possible security risks to users. |
Profile Type | Trojan |