{"id":92309,"date":"2018-11-12T21:01:11","date_gmt":"2018-11-13T05:01:11","guid":{"rendered":"https:\/\/securingtomorrow.mcafee.com\/?p=92309"},"modified":"2025-06-08T19:40:44","modified_gmt":"2025-06-09T02:40:44","slug":"webcobra-malware-uses-victims-computers-to-mine-cryptocurrency","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency\/","title":{"rendered":"WebCobra Malware Uses Victims\u2019 Computers to Mine Cryptocurrency"},"content":{"rendered":"

The authors thank their colleagues Oliver Devane and Deepak Setty for their help with this analysis.<\/em><\/p>\n

McAfee Labs researchers have discovered new Russian malware, dubbed WebCobra, which harnesses victims\u2019 computing power to mine for cryptocurrencies.<\/p>\n

Coin mining malware is difficult to detect. Once a machine is compromised, a malicious app runs silently in the background with just one sign: performance degradation. As the malware increases power consumption, the machine slows down, leaving the owner with a headache and an unwelcome bill, as the energy it takes to mine a single bitcoin can cost from $531 to $26,170<\/a>, according to a recent report.<\/p>\n

The increase in the value of cryptocurrencies has inspired cybercriminals to employ malware that steals machine resources to mine crypto coins without the victims\u2019 consent.<\/p>\n

The following chart shows how the prevalence of miner malware follows changes in the price of Monero cryptocurrency.<\/p>\n

\"\"<\/a><\/p>\n

Figure <\/em>1<\/em>: The price of cryptocurrency Monero peaked at the beginning of 2018. The total samples of coin miner malware continue to grow. Source: https:\/\/coinmarketcap.com\/currencies\/monero\/.<\/em><\/p>\n

McAfee Labs has previously analyzed<\/a> the cryptocurrency file infector CoinMiner; and the Cyber Threat Alliance, with major assistance from McAfee, has published a report, \u201cThe Illicit Cryptocurrency Mining Threat.\u201d<\/a> Recently we examined the Russian application WebCobra, which silently drops and installs the Cryptonight miner or Claymore’s Zcash miner, depending on the architecture WebCobra finds. McAfee products detect and protect against this threat.<\/p>\n

We believe this threat arrives via rogue PUP installers. We have observed it across the globe, with the highest number of infections in Brazil, South Africa, and the United States.<\/p>\n

\"\"<\/a><\/p>\n

Figure 2: McAfee Labs heat map of WebCobra infections from September 9\u201313. <\/em><\/p>\n

This cryptocurrency mining malware is uncommon in that it drops a different miner depending on the configuration of the machine it infects. We will discuss that detail later in this post.<\/p>\n

Behavior<\/strong><\/h2>\n

The main dropper is a Microsoft installer that checks the running environment. On x86 systems, it injects Cryptonight miner code into a running process and launches a process monitor. On x64 systems, it checks the GPU configuration and downloads and executes Claymore’s Zcash miner from a remote server.<\/p>\n

\"\"<\/a><\/p>\n

Figure 3: WebCobra\u2019s installation window.<\/em><\/p>\n

After launching, the malware drops and unzips a password-protected Cabinet archive file with this command:<\/p>\n

\"\"<\/a><\/p>\n

Figure 4: The command to unzip the dropped file.<\/em><\/p>\n

The CAB file contains two files:<\/p>\n