September 17, 2018 By Douglas Bonderud 2 min read

Researchers spotted two new Monero malware attacks targeting Windows and Android devices that hide in plain sight and masquerade as legitimate application updates.

Quick Heal Security Labs discovered the new “invisible” Monero mining infection trying to hide on Windows PCs. Once installed, this self-extracting executable unpacks a VBS script, extraction utility, password-protected archive and batch file in the C:/ProgramFiles/Windriverhost directory. It then launches ouyk.vbs to maintain persistence and xvvq.bat to keep the computer on by modifying the PowerCFG command.

Finally, it runs the driverhost.exe mining program, which mines for Monero, while xvvq.bat regularly checks for analysis and antivirus tools using the tasklist command. The infection vector is currently unknown, but Quick Heal speculated that spear phishing and malvertising are likely culprits.

Meanwhile, as noted by Fortinet, the Android/HiddenMiner.A!tr malware attempts to compromise Android devices by posing as an update to the Google Play Store. If installed on an emulator or virtual machine, it shuts down to avoid analysis. If installed on a mobile device, it activates and asks for administrative privileges. If not granted, the malware will continue asking for permission until users allow installation.

Monero Malware Hides in Plain Sight

Along with efforts to avoid analysis, Quick Heal noted that the Monero malware also limits central processing unit (CPU) usage to 35 percent for all mining activity. Given the persistence of the malware and the low CPU cap, users may not encounter the system performance issues and application lag commonly associated with mining attacks, improving the malware’s ability to go undetected for long periods of time.

On the other hand, the HiddenMiner malware is problematic for Android users because it appears in the Google Play Store as an update to the Store itself. As a result, users aren’t surprised by requests for admin rights since the “update” seemingly comes from Google.

How to Mitigate the Threat of Monero Malware

Shutting down these Monero malware tools requires keeping devices up to date and regularly checking desktops for indicators of compromise (IoCs). As noted by IBM X-Force Exchange, the HiddenMiner malware won’t work on Android 7.0 or later thanks to a change in Android PacKage (APK) format that introduced a new signing mechanism. Malware attempting to execute on devices running 7.0 or later will instead return an error message.

IBM security professionals also recommend targeting common IoCs to detect mining malware. As noted by Quick Heal, a flaw in the xvvq.bat file means it only kills driverhost.exe if taskmgr.exe is running — making it easier for security teams to track down the driverhost.exe IoC and take action to remove the malware.

Sources: Quick Heal Security Labs, Fortinet

More from

Reducing ransomware recovery costs in education

4 min read - 2024 continued the trend of ransomware attacks in the education sector making headlines. The year opened with Freehold Township School District in New Jersey canceling classes due to a ransomware attack. Students at New Mexico Highlands University missed classes for several days while employees experienced disruption of their paychecks after a ransomware attack. The attack on the Alabama Department of Education served as a reminder that all school systems are vulnerable.Ransomware attacks in education decreasingThe year closes with some positive news…

Will AI threaten the role of human creativity in cyber threat detection?

4 min read - Cybersecurity requires creativity and thinking outside the box. It’s why more organizations are looking at people with soft skills and coming from outside the tech industry to address the cyber skills gap. As the threat landscape becomes more complex and nation-state actors launch innovative cyberattacks against critical infrastructure, there is a need for cybersecurity professionals who can anticipate these attacks and develop creative preventive solutions.Of course, a lot of cybersecurity work is mundane and repetitive — monitoring logs, sniffing out…

Hacking the mind: Why psychology matters to cybersecurity

4 min read - In cybersecurity, too often, the emphasis is placed on advanced technology meant to shield digital infrastructure from external threats. Yet, an equally crucial — and underestimated — factor lies at the heart of all digital interactions: the human mind. Behind every breach is a calculated manipulation, and behind every defense, a strategic response. The psychology of cyber crime, the resilience of security professionals and the behaviors of everyday users combine to form the human element of cybersecurity. Arguably, it's the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today