The team Aunt-Malware Her research Kaspersky Lab recognized two botnets computers that are "infected" with malicious software, which secretly install cryptocurrency miners - legitimate software used to mine ("mine") virtual currency based on blockchain technologys. 
In one case the researchers were able to calculate that a network of 4.000 computers could earn its owners up to $30.000 a month, and in another case the researchers witnessed a "jackpot" of over $200.000 from a PC botnet 5.000 computers.
The architecture of Bitcoin and other cryptocurrencies suggests that in addition to buying cryptocurrency, the user can create a new currency unit (or coin) using the computing power of computers equipped with specialized “mining” software. At the same time, according to the idea behind cryptocurrencies, the more coins are produced, the more time and computing power is required to create a new currency.
A few years ago, malicious software installed Bitcoin miners (using computer victims to extract coins for digital criminals), a common practice in the threat landscape, but as many Bitcoins mined, the more difficult it was to extract new ones, and in some cases this method was not useful: the potential economic benefit that a criminal could have from a bitcoin mining effort did not cover the investment needed to create and distribute malware and the infrastructure support system.
However, the price of Bitcoin - the first and most popular cryptocurrency - which has been launched in recent years from hundreds to thousands of dollars for each currency, triggered a real "cryptocurrency fever" across the world. Hundreds of enthusiastic teams and startups have begun to present their own Bitcoins alternatives, many of which have also gained significant market value over a relatively short period of time.
These changes in the cryptocurrency market have inevitably caught the attention of digital criminals, who are now turning to fraud schemes that manage to quietly install cryptocurrency mining software on thousands of computers.
Based on recent research done by Kaspersky Lab specialists, criminals behind newly discovered botnets distribute mining software with adware programs, and their victims install it voluntarily.
Once the program is installed adware on the victim's computer, it "downloads" a malicious tool: The miner installer. This tool installs the miner and then performs some activities to confirm that the miner will work properly for as long as possible. These procedures include:
- Trying to disable the security software.
- Monitor all startup applications and suspend their own activities if you start a program that monitors system activities or current processes.
- Ensure the presence of at least one mining software on the hard disk and restore it if it is deleted.
When the first coins are mined, they are transferred to electronic purses belonging to the criminals, leaving the victims with an unexpected sub-computer and slightly higher electricity bills than usual. According to Kaspersky Lab's comments, criminals are trying to farm two cryptocurrencies: Zcash and Monero. These particular currencies are likely to be selected because they provide a reliable way to keep anonymous transfers from and to the holders' electronic purses.
The first signs of return of malicious miners have been identified by Kaspersky Lab since December of 2016 when a company researcher Reported at least 1.000 computers were "infected" by malicious software, which mined Zcash - a cryptocurrency that was introduced at the end of October 2016.
During this period - thanks to the rapidly growing Zcash price - this botnet could bring its owners up to $ 6.000 a week. At that time, new mining botnets were predicted, with the results of recent research proving that this prediction was correct.
"The biggest problem with malicious miners is that it is really hard to reliably detect such activity because the malware uses completely legitimate mining software, which in a normal situation could also be installed by a legitimate user. Another disturbing fact we identified while observing these two young people botnet, is that malicious miners become the same precious in the underground market. We have seen criminals offer the so-called "creators miner": Software that allows anyone who is willing to pay for the full version, create his own botnet extraction. This means that botnets which we have recently identified will not be the last ones"Said Evgeny Lopatin, a malware analyst at Kaspersky Lab.
In general, the number of users who have faced cryptocurrency miners has increased dramatically in recent years. For example, 2013, Kaspersky Lab's products protected around 205.000 users globally when attacked by such a threat. 2014, the number increased to 701.000 and the number of infected users in the first eight months of 2017 reached 1,65 million.
Number of users protected by Kaspersky Lab from malicious cryptocurrency miners from 2011 to 2017
In order to avoid turning their computer into a zombie collector who works hard to earn money for criminals, Kaspersky Lab researchers advise users to follow the following steps:
- Do not install suspicious software from unreliable sources on your computer
- The adware detection feature may be disabled by default in the security solution. Make sure you have it turned on
- Use a proven online security solution to protect your digital environment from all possible threats, including malicious miners.
- If you are using a server, make sure it is protected by a security solution, as servers are profitable targets for criminals because of their high computing performance (compared to the average computer)
Kaspersky Lab products detect and successfully block malware malware malware with the following crawling names:
- RiskTool.Win32.BitCoinMiner.hxao
- PDM:Trojan.Win32.Generic
More information on malicious mining botnets can be found on the dedicated website Securelist.com.
