Malware Mines, Steals Cryptocurrencies From Victims

How’s your Bitcoin balance? Interested in earning more? The value of cybercurrency is going up. One way to increase your holdings is by “mining,” which is legal as long as it is done with the proper permissions. Using your own mining equipment or establishing a formal agreement for outsourcing are two methods. Hardware vendors such as Asus manufacture motherboards that are specifically tailored for mining cryptocurrency.

Bitcoin mining involves complex mathematical calculations that are carried out by a computer’s hardware and result in transaction records. These records are added to the Bitcoin public ledger, the “blockchain.” The ledger keeps track of all transactions and verifies these transactions are legitimate.

Cybercriminals are also attracted to online currency, which fuels much of their business, including malware purchases and ransomware payments. Cybercriminals would rather find outside computing power instead of using their own equipment because the price of a dedicated mining machine could exceed US$5,000. Cybercriminals often seek to bypass the agreement phase and maliciously introduce malware that will either use a victim’s computing power to mine for coins or simply locate and steal the user’s cryptocurrency.

Three popular Bitcoin miners.


The number of instances of mining malware has increased significantly, to 1.65 million victims this year, according to one report. That’s a lot of slowing machines and increased electricity costs. For individual users, the slowness and increased electricity bill may be trivial, and go unnoticed for a time. For businesses with hundreds or thousands of machines, however, the cost increase can be substantial.

The increased interest in illegally mining or stealing cryptocurrencies correlates easily with the increased value of these currencies. One Bitcoin (BTC) was recently worth more than $7,500, up from around $3,000 a few weeks ago. Even considering an earlier decline in value, Bitcoin has been trending upward for years. This upswing in value and the recent adoption of Bitcoin in Japan and South Korea as a legal tender have increased the demand for acquiring Bitcoin and altcoins. In September cybercriminals stole $63,000 worth of cryptocurrency in about three months by taking advantage of a flaw in Microsoft Windows Internet Information Services.

The price of Bitcoin since 2010. Source: CoinDesk.

Initial coin offerings (ICOs) have also contributed to this gold rush. ICOs are similar to IPOs but instead of issuing to investors shares of a new company, the investors are given cryptocurrency in the hopes a new company will be successful and result in a higher value for their digital coins.

During the last few years we have seen an increase in innovation by malware authors to infiltrate this space, resulting in malware that both mines or steals coins and spans various and platforms. Let’s break down some of the tools and techniques in the world of crypto-mining/-stealing malware that has arisen.

  • NightMiner
  • Adylkuzz
  • EternalMiner
  • MulDrop.14
  • ELF Linux/Mirai
  • OSX/Miner-D
  • Dridex
  • Trickbot
  • Jimmy Nukebot
  • HawkEye
  • Cerber
  • Web Mining


NightMiner mining malware was first seen in the wild in March 2015 and has been used to mine the Monero cryptocurrency. Some cybercriminals have turned to Monero due to its built-in security features and lower cost to mine. For example, Monero by default supports many blockchain obfuscation and anonymity technologies such as stealth addresses and crypto notes. This malicious software has been discovered on network attached storage (NAS) devices and takes advantage of those devices’ powerful CPU and GPU resources. The mining software can stay under the radar on these devices because most administrators fail to install antimalware software on NAS systems. Sophos released an extensive report discussing this malware.


Adylkuzz is more recent, coming on the scene in this year. The mining malware is similar to the well-known ransomware WannaCry in that it exploits two flaws in Microsoft’s server message block (SMB) that are known as EternalBlue and DoublePulsar. Both defects were leaked by the Shadow Brokers hacking group and are believed to be the work of the U.S. National Security Agency’s Equation Group. Adylkuzz is unique in that it will block all access to TCP Port 445, preventing other malware from taking advantage of the SMB flaws.

Code snippet from the EternalBlue Metasploit module.


Linux systems are not immune. EternalMiner took advantage of a vulnerability in Samba to infect as many systems as possible. The flaw allowed Samba servers to load and execute code remotely after a shared library was uploaded by a malicious client. A patch to address the seven-year-old flaw was released in May, but cybercriminals made thousands of dollars before network administrators could update their servers.


Researchers have seen instances of Raspberry Pi—a small, versatile single-board computer— attacked by the crypto mining malware Linux.MulDrop.14. The malicious software does not attempt to mine the CPU-intensive Bitcoin but, like NightMiner, focuses on Monero. This action shows a level of innovation as cybercriminals expand their scope to acquire cryptocurrencies across additional platforms.

ELF Linux/Mirai

Cryptocurrency malware mining has been discovered in connection with the Mirai botnet. ELF Linux/Mirai continues to evolve and has added a Bitcoin miner slave module, allowing the malware to mine cryptocurrency from thousands of infected IoT devices, according to a report from IBM X-Force. Mirai, discovered in August 2016, infected IoT devices and has also been responsible for several DDoS attacks, including against DNS provider Dyn and Liberia’s Internet infrastructure.


Source: McAfee Labs Threats Report, March 2017


Although Apple’s Mac OS has not been heavily targeted, it is also not immune. OSX/Miner-D both steals Bitcoins and mines a system. This malware has been around since 2011 and is the second most common malware on the Mac. The malware, which is inserted into legitimate apps uploaded to torrent sites, made a surge early this year and resulted in more than 20% of all detections in May. We expect to soon see new variants of this malicious software.


Cryptocurrency mining has caught the attention of the Dridex Trojan’s developers. Dridex is a banking Trojan that steals credentials to access accounts. Samples of this malware were discovered in 2016 that find and steal cryptocurrency wallets.

Dridex is sophisticated malware. The developers behind this malware continue to evolve its code to avoid detection, increase infections, distribute ransomware, steal banking and personal information, and now pilfer Bitcoins.


The cybercriminals behind Trickbot have added the capability to steal cryptocurrency. Trickbot has been around for years and has recently added as one of its attack vectors. Once a system is infected, the malware monitors the victim’s browsing habits and injects a fake login page whenever the user visits The fake page allows criminals to steal the login information, resulting in the theft cryptocurrencies including Bitcoin, Ethereum, and Litecoin as well as other digital assets. 

Jimmy Nukebot

Another Trojan making headlines is Jimmy Nukebot. The authors behind the malicious software used code from the NeutrinoPOS banker Trojan. This variant, detected by McAfee as RDN/PWS-Banker, does not steal bank card data as before but installs various modules that contain a payload. One payload mines Monero. The digital wallet associated with the miner has received only about $45, which may indicate the malware authors either changed wallets or have stopped mining, according to Kaspersky.

McAfee Labs detections for some variants of mining malware. Peek detections are the highest number of detection occurrences on a single date in 2017.


The credential harvesting malware HawkEye, which surfaced in 2014, has added Bitcoin wallet stealing to its arsenal. The malware is well known for stealing a variety of credentials from web browsers and mail clients. Recent samples show HawkEye targeting the file wallet.dat, which holds the user’s Bitcoin private keys along with other transaction information.


Developers behind most ransomware prefer the ransoms be paid using cryptocurrency. In the recent case of Cerber, however, the actors have resorted to stealing the coins from the wallet before encrypting the system. Cerber is one of the most prolific ransomware families, infecting millions of computers worldwide. The ransomware has seen a decline in the past few months but continues to wreak havoc.

The number of Cerber samples detected during the last 90 days. Source: Ransomware Tracker.

Web Mining

One new trend is a technique that mines cryptocurrency when visitors connect to websites. Coinhive and Crypto-Loot, as well as others, sell Monero mining software that allows the buyer to insert JavaScript into websites. The JavaScript mines cryptocurrency by using the site visitor’s CPU power. The service has been a hot topic since it first appeared because the software can be used maliciously to allow cybercriminals to mine cryptocurrency without users consent. A few legitimate sites, including The Pirate Bay and a major television company, have recently been found using the software to mine Monero. The entertainment conglomerate has removed the code but it remains unclear whether hackers injected the software or if the company included the code to make a few extra dollars while unsuspecting users were watching their favorite shows.

The Pirate Bay has also removed the mining code and released a statement claiming the 24-hour test was designed to see if the popular file-sharing site could use the miner to generate revenue and potentially replace ads. A few other sites, including Iridium and PublicHD, are using the JavaScript code openly: Both sites inform their users of the code and in the case of Iridium allow them to opt out. The unsuspected use of web miners has caused some websites to go dark. Internet provider Cloudflare began shutting down domains after the company discovered Coinhive’s software mining Monero from visitors to torrent site ProxyBunker. The domains, which were shuttered for not allowing users to opt out, were reopened after removing the mining code.

JavaScript code from Iridium’s Google Chrome miner extension.

Crypto mining is not new, but it has gained attention due to the popularity of cryptocurrency, ICOs, and the overall value increase of alt coins. As the adoption rate for cryptocurrency grows, we can expect cybercriminals to increasingly illegally mine or steal cryptocurrency. They can exploit online funds to shop on the dark web or in exchange for real currency.

A timeline of leading cryptocurrency miners.

Introducing McAfee+

Identity theft protection and privacy for your digital life

FacebookLinkedInTwitterEmailCopy Link

Stay Updated

Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.


More from McAfee Labs

Back to top