CryptoMiner Frontier in May

May 30, 2018360TS
Learn more about 360 Total Security

[Tips: Install 360 Total Security to prevent CryptoMiner attacks]

With the rise of Crypto currencies, almost everyday we discover infections and receive feedbacks regarding CryptoMiner issues. In May, we have made some progress in combating CryptoMiner. Below is the major battles:


In May 10th, a user asked for 360’s help. After analysis, we found that a CryptoMiner was implanted by an optimization tool, One System Care. After infection, it displays unwanted advertisement and steal users’ computing power for crypto currency mining. 360 Total Security has cleaned up this malware and saved over 1 million computers in 1 week.


In May 15th, a user feedbacks that their computer is running slow some time after startup. It was identified as a CryptoMiner malware that steals processor power for digital currencies mining. Surprisingly, we found that it asks victims’ permission to use their computer’s idle processing power for “complicated calculation”, luring users into voluntarily donating their computing power for mining Monero, a popular crypto currency.


This malware exploits Microsoft application, srvany.exe, to avoid detection by antivirus. It also carries NSA cyber weapons to power itself up, making users’ computers extremely vulnerable to this malware attack.


This malware infected more than 300 thousand computers. It exploits famous open source tools “cURL.exe” and “wget.exe” to deceive antivirus. By downloading malicious files via known good tools and hiding in system schedule tasks, most antivirus software is unable to capture it. It has bundled seven to eight different applications of which vendors pay the writer for distributing their products. After installing the bundled applications, this CryptoMiner begins mining.

Drupal CryptoMinder Attack

A regular website visiting might turn your computer into a slave miner for attackers. An attack towards Drupal system has realized this nightmare. In May, our researcher has discovered a massive attack targeting websites using Drupal system. Computers visiting this type of website will execute mining procedure which takes huge amount of CPU power and makes the computer running slow. Drupal is a well-known website application based on PHP and widely used by lots of popular website. Owners of Drupal websites should update their system to latest version in case of the same attack.


ScheduledUpdateMiner infected tens of thousands of computers in 3 days. This malware abuses Microsoft tool “certutil.exe” as module downloader and hides itself in system schedule tasks to start itself at bootup. It leverages 3 rootkit drivers for terminating antivirus and hiding its processes and files, making most antivirus software unable to capture it. It also packs 2 exploit kits, DoublePulsar and EternalBlue, from NSA cyber weapon for infecting other machines.

Mining Botnet

An attack that abused MSSQL’s vulnerability was first found in 2017. The attacker first used EternalBlue exploits to distribute virus and propagate itself through weak password of MSSQL. Until recently, we found this attack has risen again. Over 100,000 attacks was discovered in just one day.

This type of breach can be easily seen nowadays. Weak password has taken the center stage of this form. We recommend administrators and users take caution on the strength of their passwords to avoid falling victim of brute-force attack.


Over 100,000 computers has been found infected by this CryptoMiner. It is being distributed through download sites. It leverage VBScript to avoid detection by antivirus and has gained significant amount of Monero which is equivalent to 234000 US dollars. We named it AuxHDVbsMiner.

Download 360 Total Security:

Learn more about 360 Total Security