IdleBuddyMiner, a Polite CryptoMiner

May 15, 2018360TS

1. Background

360 Security Center received a user feedback reporting that their computer is running slow some time after startup. It was identified as a CryptoMiner malware that steals processor power for digital currencies mining. We named it IdleBuddyMiner. Surprisingly, we found that it asks victims’ permission to use their computer’s idle processing power for “complicated calculation”, luring users into voluntarily donating their computing power for mining Monero, a popular crypto currency.

2. Analysis

This malware starts itself by registering as a system startup service. It downloads encrypted code from its control server, decrypts the code and executes it in the memory.

Code: Download encrypted data:

Code: Encrypted data is a mining module that is based on the work of open source project, xmrig(https://github.com/xmrig)

By far, only 360 and a handful of other antivirus vendors are able to detect this malware:

3. Related file hash in MD5

150AF54958BDE0DBF7C1F42F495CA867
97463C5CEA66270D529C0710E9606B91
8ddf5757673057df01ed3b14eb3ae5b7

4. Reminder

Recently, we have found that a lot of CryptoMiner malware are actively spreading in the wild. We strongly recommend users to enable antivirus software while installing new applications. Users are also recommended to run virus scan with 360 Total Security to avoid falling victim to CryptoMiner.