{
	"id": "ecaaef80-4df6-474f-8442-aec9820fe94c",
	"created_at": "2026-04-06T01:32:26.275337Z",
	"updated_at": "2026-04-10T13:12:52.277061Z",
	"deleted_at": null,
	"sha1_hash": "f55d86536f7cf42dfb317ec792492b592374aea2",
	"title": "On the trail of the XMRig miner",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 230583,
	"plain_text": "On the trail of the XMRig miner\r\nBy Anton Kuzmenko\r\nPublished: 2020-10-22 · Archived: 2026-04-06 01:02:22 UTC\r\nAs protection methods improve, the developers of miners have had to enhance their own creations, often turning\r\nto non-trivial solutions. Several such solutions (previously unseen by us) were detected during our analysis of the\r\nopen source miner XMRig.\r\nHow it all began: ransominer\r\nAlongside well-known groups that make money from data theft and ransomware (for example, Maze, which is\r\nsuspected of the recent attacks on SK Hynix and LG Electronics), many would-be attackers are attracted by the\r\nhigh-profile successes of cybercrime. In terms of technical capabilities, such amateurs lag far behind organized\r\ngroups and therefore use publicly available ransomware, targeting ordinary users instead of the corporate sector.\r\nThe outlays on such attacks are often quite small, so the miscreants have to resort to various stratagems to\r\nmaximize the payout from each infected machine. For example, in August of this year, we noticed a rather curious\r\ninfection method: on the victim’s machine, a Trojan (a common one detected by our solutions as\r\nTrojan.Win32.Generic) was run, which installed administration programs, added a new user, and opened RDP\r\naccess to the computer. Next, the ransomware Trojan-Ransom.Win32.Crusis started on the same machine,\r\nfollowed by the loader of the XMRig miner, which then set about mining Monero cryptocurrency.\r\nAs a result, the computer would already start earning money for the cybercriminals just as the user saw the ransom\r\nnote. In addition, RDP access allowed the attackers to manually study the victim’s network and, if desired, spread\r\nthe ransomware to other nodes.\r\nDetails about Trojan files:\r\nMssql — PC Hunter x64 (f6a3d38aa0ae08c3294d6ed26266693f)\r\nmssql2 — PC Hunter x86 (f7d94750703f0c1ddd1edd36f6d0371d)\r\nexe — nmap-like network scanner (597de376b1f80c06d501415dd973dcec)\r\nbat — removes shadow copy\r\nbat — creates a new user, adds it to the administrators group, opens the port for RDP access, and starts the\r\nTelnet server\r\nexe — IOBIT Unlocker (5840aa36b70b7c03c25e5e1266c5835b)\r\nEVER\\SearchHost.exe — Everything software (8add121fa398ebf83e8b5db8f17b45e0)\r\nEVER\\1saas\\1saas.exe — ransomware Trojan-Ransom.Win32.Crusis\r\n(0880430c257ce49d7490099d2a8dd01a)\r\nEVER\\1saas \\LogDelete — miner loader (6ca170ece252721ed6cc3cfa3302d6f0, HEUR:Trojan-Downloader.Win32.Generic)\r\nhttps://securelist.com/miner-xmrig/99151/\r\nPage 1 of 4\n\nBatch script systembackup.bat adds a user and opens access via RDP\r\nWe decided to use KSN to examine how often XMRig and its modifications get bundled with malware. It emerged\r\nthat in August 2020 there were more than 5,000 attempts to install it on users’ computers. The parties responsible\r\nfor its distribution turned out to be the Prometei malware family and a new family called Cliptomaner.\r\nPrometei backdoor\r\nThe Prometei family has been known since 2016, but spotted together with XMRig for the first time in February\r\n2020. What’s more, the backdoor was distributed in an unusual way: whereas during ordinary attacks the\r\ncybercriminals gain server access through various exploits, this time they used brute-force attacks. Having thus\r\nobtained usernames and passwords for computers with MS SQL installed, the attackers used the T-SQL function\r\nxp_cmdshell to run several PowerShell scripts and elevated the privileges of the current user by exploiting the\r\nCVE-2016-0099 vulnerability. After that, Purple Fox Trojan and Prometei itself were installed on the victim’s\r\nmachine. The whole attack, starting with the brute-forcing of credentials to connect to the SQL server and ending\r\nwith the installation of Prometei, was carried out in fully automatic mode.\r\nThe installation process is of interest: the .NET executable file, packed into an ELF file using standard .NET Core\r\ntools (Apphost), sends information about the infected machine to the C\u0026C server, and then downloads the\r\ncryptocurrency miner and its configuration. The versions of the loaders for Windows and Linux differ only\r\nslightly: the .NET build for different platforms saved the attackers from having to create a separate loader for\r\nLinux and allowed cryptocurrency mining on powerful Windows and Linux servers.\r\nCliptomaner miner\r\nDetected in September 2020, Cliptomaner is very similar to its fellows: like them, it not only mines\r\ncryptocurrency, but can also substitute cryptowallet addresses in the clipboard. The miner version is selected\r\naccording to the computer configuration and downloaded from C\u0026C. The malware is distributed under the guise\r\nof software for Realtek audio equipment. On the whole, we saw no new techniques, but interestingly Cliptomaner\r\nis written entirely in the AutoIT scripting language. Most of the time, families with similar behavior are written in\r\ncompiled languages, such as C# or C, but in this case the authors opted for a more creative approach, and wrote a\r\nlengthy script that selects the required version of the miner and receives cryptowallet addresses from C\u0026C for\r\nsubstitution.\r\nhttps://securelist.com/miner-xmrig/99151/\r\nPage 2 of 4\n\nSubstituting cryptowallets in the clipboard\r\nKaspersky security solutions detect the above malicious programs with the following verdicts:\r\nHEUR:Trojan.MSIL.Prometei.gen, HEUR:Trojan.Script.Cliptomaner.gen, HEUR:Trojan-Downloader.Win32.Generic, Trojan-Ransom.Win32.Crusis, Trojan.Win64.Agentb, not-a-virus:RiskTool.Win64.XMRigMiner\r\nIndicators of compromise (IoC)\r\nDomains\r\ntaskhostw[.]com\r\nsvchost[.]xyz\r\nsihost[.]xyz\r\nsrhost[.]xyz\r\n2fsdfsdgvsdvzxcwwef-defender[.]xyz\r\nCryptowallets used for substitution\r\nhttps://securelist.com/miner-xmrig/99151/\r\nPage 3 of 4\n\nLTC: LPor3PrQHcQv4obYKEZpnbqQEr8LMZoUuX\r\nBTC: 33yPjjSMGHPp8zj1ZXySNJzSUfVSbpXEuL\r\nETH: 0x795957d9753e854b62C64cF880Ae22c8Ab14991b\r\nZEC: t1ZbJBqHQyytNYtCpDWFQzqPQ5xKftePPt8\r\nDODGE: DEUjj7mi5N67b6LYZPApyoV8Ek8hdNL1Vy\r\nMD5\r\n1273d0062a9c0a87e2b53e841b261976\r\n16b9c67bc36957062c17c0eff03b48f3\r\nd202d4a3f832a08cb8122d0154712dd1\r\n6ca170ece252721ed6cc3cfa3302d6f0\r\n1357b42546dc1d202aa9712f7b29aa0d\r\n78f5094fa66a9aa4dc10470d5c3e3155\r\nSource: https://securelist.com/miner-xmrig/99151/\r\nhttps://securelist.com/miner-xmrig/99151/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/miner-xmrig/99151/"
	],
	"report_names": [
		"99151"
	],
	"threat_actors": [],
	"ts_created_at": 1775439146,
	"ts_updated_at": 1775826772,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f55d86536f7cf42dfb317ec792492b592374aea2.pdf",
		"text": "https://archive.orkl.eu/f55d86536f7cf42dfb317ec792492b592374aea2.txt",
		"img": "https://archive.orkl.eu/f55d86536f7cf42dfb317ec792492b592374aea2.jpg"
	}
}