Coinminer protection and removal with Endpoint Protection

Products

Endpoint Protection

Issue/Introduction

Coinminers (also called cryptocurrency miners) are programs that generate Bitcoin, Monero, Ethereum, or other cryptocurrencies that are surging in popularity. When intentionally run for one's own benefit, they may prove a valuable source of income.

However, malware authors have created threats and viruses which use commonly-available mining software to take advantage of someone else's computing resources (CPU, GPU, RAM, network bandwidth, and power), without their knowledge or consent (i.e. cryptojacking). Symantec's video What is Cryptojacking? provides a three-minute overview of this threat.

Symantec has developed robust defenses against unwanted coinminers, Symantec Endpoint Protection (SEP).

Symantec products will typically raise a warning when files related to coin mining are found or running, to bring them to an administrator's attention; though open source and widely-used, mining software may be Potentially Unwanted Applications in an enterprise environment.)

Indications that a computer is mining include:

High CPU and/or GPU usage
Overheating
Crashes or restarts
Slow response times
Unusual network activity (e.g. connections to mining-related websites or IP addresses). For example, you may notice unexpected PowerShell processes connecting to IP addresses associated with xmrpool[.]net, nanopool[.]org, moneropool[.]com, and similar addresses.

If Symantec Endpoint Protection (SEP) logs entries similar to those listed in Appendix B: Symantec signatures, this may indicate that a coinminer is active on the computer.

Environment

Coinminers run on various platforms, including:

Windows
OS X/macOS
Linux
Android
Internet of Things (IoT) devices

Resolution

Should coinminers be stopped?

While some administrators may not consider coinminers a priority because the threat is not inherently destructive, as is the case with ransomware, the wasted resources and impact on performance is still viewed as a nuisance. Therefore, Symantec highly recommends that you take action.

Symantec Security Response has encountered coinminers which not only generate income for criminals, but also carry out other nefarious activities on the network, including theft of credentials. The presence of coinminers should also alert administrators that there are weaknesses in their environment.

Destructive forms of malware function using similar methods as coinminers. Eradicating miners and strengthening your network's defenses will help prevent other threats.

Understand the challenge

There are many different ways to force a computer or device to mine cryptocurrency. These are the three main types of miners:

Executables - These are typical malicious or Potentially Unwanted Application (PUA) executable files (.exe) placed on the computer, designed to mine cryptocurrencies.
Browser-based Cryptocurrency Miners - These JavaScript (or similar technology) miners perform their work in an Internet browser, consuming resources for as long as the browser remains open on the website. Some miners are used intentionally by the website owner in place of running ads (e.g. Coinhive), while others have been injected into legitimate websites without the website owner's knowledge or consent.
Advanced Fileless Miners - As predicted, malware has emerged that performs its mining work in a computer's memory by mis-using legitimate tools like PowerShell. One example is MSH.Bluwimps, which carries out additional malicious acts in addition to mining.

Use all protection components

Coin mining executables can be caught by traditional security tools, including the following components in Symantec Endpoint Protection (SEP): Antivirus, Download Insight, Advanced Machine Learning, and SONAR. Undetected malicious executables can be discovered by SymDiag's Threat Analysis Scan. The more SEP components that are installed and enabled, the greater the chance of detecting these threats.

Browser-based miners can be detected and removed by antivirus definitions (for example, PUA.WASMcoinminer and JS.Webcoinminer). Expect repeated detections in the browser's cache location as the mining code on the webpage is likely to be reloaded as long as the computer user remains viewing that page.

Numerous signatures have been built for this purpose, so ensure that IPS is installed and enabled. Also ensure that the environment's IPS policy has been configured so that mining-related Audit signatures "Block" rather than just "Log" the traffic. As a final measure, you may need to block the website which contains the browser-based miner at the firewall.

Note: It is better to have the Intrusion Prevention System (IPS) component block these miners before they reach the computer.

Advanced fileless miners like MSH.Bluwimps are inherently difficult to detect and stop. Professional expertise from Symantec Technical Support will likely be necessary, who can provide instructions on how SEP components can be configured to block the execution of these miners.

Harden your environment

Some tips to help prevent and respond to coinminers:

Know your environment. Be aware how frequently end users report slow performance. React and investigate for miners if complaints increase.
Defend web servers to prevent an attacker from adding Coinhive-style mining scripts to your websites.
Apply all available vendor patches. Many miners that gain entry to an organization can move and execute by exploiting vulnerabilities for which patches already exist.
Monitor network logs (IPS logs, DNS logs, firewall logs) for suspicious outgoing connections to mining-related IP addresses. Block these addresses at the corporate firewall, and consider suspicious any computer that continues to access those addresses.
Lock down RDP access and frequently replace all user passwords—especially users with admin access—with new, strong passwords.
Run a recent release of PowerShell (5 or higher), and configure it to log detailed activity.
Take measures to secure your computers' built-in Windows Management Instrumentation (WMI). Attackers, including those seeking to mine coins, increasingly abuse this technology. Administrators should consider creating Group Policy Objects (GPO) or firewall rules to prevent unauthorized remote WMI actions, and perhaps control access by user accounts. See Microsoft's guidance in Maintaining WMI Security.

Follow best practices

When you suspect an undetected miner, see Virus removal and troubleshooting on a network

Appendix A: Related articles

Appendix B: Symantec signatures

The following catalog of signatures is not comprehensive, but provides an indication of the various definitions in place to halt unauthorized mining.

Many miners are detected under signatures such as PUA.Gen.2, Trojan.Gen.2, Trojan Horse, and other general classifications.

Antivirus signatures

Downloader.Miner
Downloader.Miner!g1
JS.Webcoinminer (previously PUA.JScoinminer)
JS.Webcoinminer!gen1
Infostealer.Coinbit
Linux.Coinminer
Linux.Ekcorminer
Miner.Bitcoinminer (previously PUA.Bitcoinminer)
Miner.Burst (previously PUA.Burstminer!s1)
Miner.Cpuminer (previously PUA.Cpuminer!s1)
Miner.Jswebcoin
Miner.Neoscrypt (previously PUA.Neoscrypt!s1)
Miner.Wasmwebcoin
Miner.Xmrig
Miner.XMRig!gen1
Miner.Zcashminer (previously PUA.Zcashminer)
OSX.Coinbitminer
OSX.Coinminer
PUA.Gyplyraminer
PUA.WASMcoinminer
Trojan.Adylkuzz
Trojan.Badminer
Trojan.Coinbit!g1
Trojan.Coinbitminer
Trojan.Coinminer
Trojan.Coinminer.B
Trojan.Coinliteminer
Trojan.Coinreg
Trojan.Madominer
Trojan.Minjen
Trojan.Minjen!gen1
Trojan.Shminer
Trojan.Zezin
Wasm.Webcoinminer
W32.Beapy!gen1
W32.Coinbitminer
W32.Mysracoin
W32.Rarogminer
W32.Xiaobaminer

SONAR

IPS Signatures

Note: Configure Audit signatures to "Block"