XMRig Coin Miner: Adversaries Employ New Approaches to Illegal Crypto Mining

With a mounting number of cyber criminal operations pursuing the illicit installation of crypto mining software on victim devices and systems, increasing awareness of crypto-jacking is paramount. Earlier this Summer, US-CERT released a malware analysis report related to XMRig coin miner, detailing new approaches to hijacking victims’ devices and leveraging them for crypto mining.

CISA shone a spotlight on crypto mining droppers used to unsolicitedly deploy XMRig.

XMRig Cryptominer Malware Detection

Utilize the following rule kit released by our keen Threat Bounty developers Nattatorn Chuensangarun and Onur Atali to detect unsolicited activity associated with the XMRig crypto miner malware within your environment:

Identify the presence of XMRig Coin Miner

Adepts at cybersecurity leverage the Threat Bounty Program to reach new career horizons. Join Threat Bounty to share our dedication to cooperating in achieving high standards of cybersecurity processes.

The detections are available for the 26+ SIEM, EDR & XDR platforms, aligned with the MITRE ATT&CK® framework v.10. For more detection content, please press the Detect & Hunt button below. If you are new to the platform, browse through a vast collection of Sigma rules with relevant threat context, CTI and MITRE ATT&CK references, CVE descriptions, and get updates on threat hunting trends by hitting the Explore Threat Context button. No registration is required!

Detect & Hunt Explore Threat Context

XMRig-Based Campaign Description

The XMRig CPU Miner is a popular cryptocurrency mining tool. But the software is not only popular for legitimate operations. Adversaries frequently misuse XMRig for crypto mining on compromised computers. Cryptojacking attacks are often carried out using a trojan.

A recently researched Remote Access Tool (RAT) utilized as a crypto mining dropper provides threat actors with a vast array of C2 capabilities, reads the analysis published by CISA. The strain is a 64-bit Windows loader that contains an encrypted malicious executable. Once the attackers achieve persistence within a compromised network, they proceed with their prime objective, which is to execute the XMRig CoinMiner. Additionally, malware operators terminate antivirus tasks, gain reverse shell access, and move laterally through a network.

Adversaries quickly co-opt newly disclosed flaws into their illicit cryptocurrency mining activities.  To avoid unwanted impacts, stay up to date on threat hunting with scalable solutions provided by SOC Prime’s Detection as Code platform.