McAfee Labs Finds Russian Crypto Mining Malware Correlated to Monero Price

McAfee Labs, the research unit of John McAfee’s cybersecurity firm, reveals it has discovered WebCobra, a Russian coin mining malware which explores victim’s computing power.

Kapil Khade, a security researcher, has also uncovered a correlation between the miner malware’s supposed “prevalence” with the movement of Monero’s (XMR) price.

McAfee Labs has discovered what it says is an “uncommon” and not easily detectable crypto mining malware.

Uncommon in such a way that it drops a different miner based on the configuration of the mining machine it infects.

Working with colleagues Oliver Devane and Deepak Setty, Khade is able to analyze the Russian-produced malware known as the WebCobra.

The malicious malware takes victims’ machine resources as it increases power consumption while quietly operating in the background and mining digital currency. Once it infects a machine, the computer warns the owner of “performance degradation.” However, in the absence of an updated anti-malware software, the computer does not have the ability to detect the presence of the threat.

In a November 12 blog post, Khade disputes that the increase in the value of cryptocurrencies has resulted to a notable rise in the use of the malware for crypto mining purposes. This particular Russian crypto jacking malware appears to have a specific leaning towards Monero (XMR), the privacy-focused virtual asset priced at just above $100. Khade writes:

“The increase in the value of cryptocurrencies has inspired cybercriminals to employ malware that steals machine resources to mine crypto coins without the victims’ consent.”

Khade has also presented a chart which compares Monero price from way back January 2016 to July 2018 against “coin miner malware samples.” The chart presents an apparent correlation between the two, showing that the mining malware reached its record-high one month after the cryptocurrency bubble burst early this year.

Despite the continuous plunge in the prices of Monero and other virtual currencies, the use of coin mining malware appears to have seen a significant increase.

Based on McAfee Labs’ heat map of WebCobra infections from September 9 to 13, this “uncommon” Russian mining malware is more rampant in the U.S., Brazil, and South Africa. Khade also explains that the “file infector” secretly drops and installs the Cryptonight or Claymore’s Zcash miner. He adds by saying:

“The main dropper is a Microsoft installer that checks the running environment. On x86 systems, it injects Cryptonight miner code into a running process and launches a process monitor. On x64 systems, it checks the GPU configuration and downloads and executes Claymore’s Zcash miner from a remote server.”