XMRig is an endpoint cryptomining malware capable of doing damage without an active browser session, and its use is on the rise.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- A new cryptomining malware, XMRig, is doing something that previous strains haven't: It can operate without an open browser session.
- Cryptomining malware is the hot new threat, and it's adapting. Security professionals need to be careful not to rely on old methods to protect their systems.
Antimalware company Check Point has released their latest Most Wanted Malware report for March, and it's warning of a surge in cryptomining malware attacks driven by the XMRig malware.
Cryptomining malware, which uses the computing resources of an infected machine to mine cryptocurrency on behalf of the attacker, has been booming in the past several months, both on PCs and mobile devices. What makes XMRig worthy of particular attention is that it signals a departure from previous cryptomining malware models, which have generally required an open browser session.
XMRig is endpoint malware, meaning it infects the target machine and can operate without an active browser session, a shift which spells trouble for security professionals.
"Cryptomining malware has been quite the success story for cybercriminals, and XMRig's rise indicates that they are actively invested in modifying and improving their methods in order to stay ahead of the curve," Maya Horowitz, Check Point's threat intelligence group manager, said in the report.
What is XMRig?
XMRig itself isn't malware—it's just a piece of software designed to mine for the Monero cryptocurrency. It doesn't take much to weaponize a basic utility like XMRig, which is exactly what has happened.
According to Palo Alto Networks, XMRig malware has infected more than 15 million machines around the world, with the bulk of the victims located in Asia, Africa, and South America.
SEE: Incident response policy (Tech Pro Research)
It appears to be spreading via file sharing websites like DropMeFiles, 4Sync, and Rapid Files, which all feature public linking to downloads. Palo Alto Networks also reported instances of internet users being infected by malicious Adfly advertisements as well.
Once installed, the XMRig malware uses proxies to hide its traffic and obscure the wallet destinations, and it also adds the infected PC to Nicehash, an online marketplace where users can sell their processing power for use by cryptocurrency miners.
Protecting yourself from XMRig malware
The same advice to PC users and tech professionals that applies to malware prevention applies here as well—don't download files from untrusted sites, make sure the latest Windows updates are installed, use reliable antivirus software, and restrict users from making system changes to avoid malware installation.
Threats continue to evolve, and it's likely cryptomining malware will continue to grow in popularity as long as it is lucrative. Stay vigilant on all fronts and you shouldn't have anything to worry about.
- Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic)
- Cryptocurrency-mining malware: Why it is such a menace and where it's going next (ZDNet)
- GhostMiner fileless cryptomining malware has code that kills itself and other strains(TechRepublic)
- Android security: Cryptocurrency mining-malware hidden in VPNs, games, and streaming apps, dowloaded 100,000 times (ZDNet)
- Cryptomining malware spread via US, UK and Australian government sites (TechRepublic)