September 17, 2018 By Douglas Bonderud 2 min read

Researchers spotted two new Monero malware attacks targeting Windows and Android devices that hide in plain sight and masquerade as legitimate application updates.

Quick Heal Security Labs discovered the new “invisible” Monero mining infection trying to hide on Windows PCs. Once installed, this self-extracting executable unpacks a VBS script, extraction utility, password-protected archive and batch file in the C:/ProgramFiles/Windriverhost directory. It then launches ouyk.vbs to maintain persistence and xvvq.bat to keep the computer on by modifying the PowerCFG command.

Finally, it runs the driverhost.exe mining program, which mines for Monero, while xvvq.bat regularly checks for analysis and antivirus tools using the tasklist command. The infection vector is currently unknown, but Quick Heal speculated that spear phishing and malvertising are likely culprits.

Meanwhile, as noted by Fortinet, the Android/HiddenMiner.A!tr malware attempts to compromise Android devices by posing as an update to the Google Play Store. If installed on an emulator or virtual machine, it shuts down to avoid analysis. If installed on a mobile device, it activates and asks for administrative privileges. If not granted, the malware will continue asking for permission until users allow installation.

Monero Malware Hides in Plain Sight

Along with efforts to avoid analysis, Quick Heal noted that the Monero malware also limits central processing unit (CPU) usage to 35 percent for all mining activity. Given the persistence of the malware and the low CPU cap, users may not encounter the system performance issues and application lag commonly associated with mining attacks, improving the malware’s ability to go undetected for long periods of time.

On the other hand, the HiddenMiner malware is problematic for Android users because it appears in the Google Play Store as an update to the Store itself. As a result, users aren’t surprised by requests for admin rights since the “update” seemingly comes from Google.

How to Mitigate the Threat of Monero Malware

Shutting down these Monero malware tools requires keeping devices up to date and regularly checking desktops for indicators of compromise (IoCs). As noted by IBM X-Force Exchange, the HiddenMiner malware won’t work on Android 7.0 or later thanks to a change in Android PacKage (APK) format that introduced a new signing mechanism. Malware attempting to execute on devices running 7.0 or later will instead return an error message.

IBM security professionals also recommend targeting common IoCs to detect mining malware. As noted by Quick Heal, a flaw in the xvvq.bat file means it only kills driverhost.exe if taskmgr.exe is running — making it easier for security teams to track down the driverhost.exe IoC and take action to remove the malware.

Sources: Quick Heal Security Labs, Fortinet

More from

We are moving!

< 1 min read - SecurityIntelligence.com is being sunset, but have no fear!We have a new home for all of your favorite security and X-Force content.Follow us to www.ibm.com/think to maintain access to the stories and news you love, both new and old.Security Intelligence will officially sunset on Friday, March 28, 2025. To access the latest security thought leadership, go here. To access the latest X-Force research, go here.If you are experiencing cybersecurity issues or an incident, contact X-Force® to help:US hotline: 1-888-241-9812 | Global hotline:…

Bypassing Windows Defender Application Control with Loki C2

10 min read - Windows Defender Application Control (WDAC) is a security solution that restricts execution to trusted software. Since it is classified as a security boundary, Microsoft offers bug bounty payouts for qualifying bypasses, making it an active and competitive field of research.Typical outcomes of a WDAC bypass bug bounty submission:Bypass is fixed; possible bounty awardedBypass is not fixed but instead "mitigated" by being added to the WDAC recommended block list. Likely no bounty awarded but honorable mention is typically givenBypass is not…

FYSA — VMware Critical Vulnerabilities Patched

< 1 min read - SummaryBroadcom has released a security bulletin, VMSA-2025-0004, addressing and remediating three vulnerabilities that, if exploited, could lead to system compromise. Products affected include vCenter Server, vRealize Operations Manager, and vCloud Director.Threat TopographyThreat Type: Critical VulnerabilitiesIndustry: VirtualizationGeolocation: GlobalOverviewX-Force Incident Command is monitoring activity surrounding Broadcom’s Security Bulletin (VMSA-2025-0004) for three potentially critical vulnerabilities in VMware products. These vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, have reportedly been exploited in attacks. X-Force has not been able to validate those claims. The vulnerabilities…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today