• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

PSA: XMRig Cuda miner... not caught by Win Defender.

Vayra86

Vayra86

Supporter
Joined
Sep 17, 2014
Messages
20,952 (5.97/day)
Location
The Washing Machine
System Specs
Processor i7 8700k 4.6Ghz @ 1.24V
Motherboard AsRock Fatal1ty K6 Z370
Cooling beQuiet! Dark Rock Pro 3
Memory 16GB Corsair Vengeance LPX 3200/C16
Video Card(s) ASRock RX7900XT Phantom Gaming
Storage Samsung 850 EVO 1TB + Samsung 830 256GB + Crucial BX100 250GB + Toshiba 1TB HDD
Display(s) Gigabyte G34QWC (3440x1440)
Case Fractal Design Define R5
Audio Device(s) Harman Kardon AVR137 + 2.1
Power Supply EVGA Supernova G2 750W
Mouse XTRFY M42
Keyboard Lenovo Thinkpad Trackpoint II
Software W10 x64
There used to be a CPU version of this BTC miner.

I just caught one using CUDA on my rig, pushing GPU usage to 100% at boost clock and using over 3GB VRAM. Was wondering why PC made noise in idle since a few days and started looking manually.

Found a set of files nested in an application that's been on the PC for over a year. For analysis: the application will hide and stop itself immediately when you go out of idle, and activate itself when in idle time for about 2-3 minutes. Therefore quickly opening task manager to see what's happened is not going to work for you. I tracked it down with timestamps and MSI Afterburner OSD monitoring.

1598973045502.png


The highlighted dll will come up with all sorts of goodness if you search it.
Sent a report to MS as well.

Take note of the fact these files have likely been 'dormant' for over a month, as well :eek:
 
Last edited:
DRDNA

DRDNA

Joined
Feb 19, 2006
Messages
6,270 (0.94/day)
Location
New York
System Specs
Processor INTEL CORE I9-9900K @ 5Ghz all core 4.7Ghz Cache @1.305 volts
Motherboard ASUS PRIME Z390-P ATX
Cooling CORSAIR HYDRO H150I PRO RGB 360MM 6x120mm fans push pull
Memory CRUCIAL BALLISTIX 3000Mhz 4x8 32gb @ 4000Mhz
Video Card(s) EVGA GEFORECE RTX 2080 SUPER XC HYBRID GAMING
Storage ADATA XPG SX8200 Pro 1TB 3D NAND NVMe,Intel 660p 1TB m.2 ,1TB WD Blue 3D NAND,500GB WD Blue 3D NAND,
Display(s) 50" Sharp Roku TV 8ms responce time and Philips 75Hz 328E9QJAB 32" curved
Case BLACK LIAN LI O11 DYNAMIC XL FULL-TOWER GAMING CASE,
Power Supply 1600 Watt
Software Windows 10
Good catch at @ Vayra86 , I'm pretty certain Malewarebytes would have caught it during a periodical scan, no?
 
Vya Domus

Vya Domus

Joined
Jan 8, 2017
Messages
8,944 (3.36/day)
System Specs
System Name Good enough
Processor AMD Ryzen R9 7900 - Alphacool Eisblock XPX Aurora Edge
Motherboard ASRock B650 Pro RS
Cooling 2x 360mm NexXxoS ST30 X-Flow, 1x 360mm NexXxoS ST30, 1x 240mm NexXxoS ST30
Memory 32GB - FURY Beast RGB 5600 Mhz
Video Card(s) Sapphire RX 7900 XT - Alphacool Eisblock Aurora
Storage 1x Kingston KC3000 1TB 1x Kingston A2000 1TB, 1x Samsung 850 EVO 250GB , 1x Samsung 860 EVO 500GB
Display(s) LG UltraGear 32GN650-B + 4K Samsung TV
Case Phanteks NV7
Power Supply GPS-750C
Nefarius software ? More like, Nefarious software.

Sorry ...
 
TheoneandonlyMrK

TheoneandonlyMrK

Joined
Mar 10, 2010
Messages
11,878 (2.30/day)
Location
Manchester uk
System Specs
System Name RyzenGtEvo/ Asus strix scar II
Processor Amd R5 5900X/ Intel 8750H
Motherboard Crosshair hero8 impact/Asus
Cooling 360EK extreme rad+ 360$EK slim all push, cpu ek suprim Gpu full cover all EK
Memory Corsair Vengeance Rgb pro 3600cas14 16Gb in four sticks./16Gb/16GB
Video Card(s) Powercolour RX7900XT Reference/Rtx 2060
Storage Silicon power 2TB nvme/8Tb external/1Tb samsung Evo nvme 2Tb sata ssd/1Tb nvme
Display(s) Samsung UAE28"850R 4k freesync.dell shiter
Case Lianli 011 dynamic/strix scar2
Audio Device(s) Xfi creative 7.1 on board ,Yamaha dts av setup, corsair void pro headset
Power Supply corsair 1200Hxi/Asus stock
Mouse Roccat Kova/ Logitech G wireless
Keyboard Roccat Aimo 120
VR HMD Oculus rift
Software Win 10 Pro
Benchmark Scores 8726 vega 3dmark timespy/ laptop Timespy 6506
Vayra86 said:
There used to be a CPU version of this BTC miner.

I just caught one using CUDA on my rig, pushing GPU usage to 100% at boost clock and using over 3GB VRAM. Was wondering why PC made noise in idle since a few days and started looking manually.

Found a set of files nested in an application that's been on the PC for over a year. For analysis: the application will hide and stop itself immediately when you go out of idle, and activate itself when in idle time for about 2-3 minutes. Therefore quickly opening task manager to see what's happened is not going to work for you. I tracked it down with timestamps and MSI Afterburner OSD monitoring.

View attachment 167408

The highlighted dll will come up with all sorts of goodness if you search it.
Sent a report to MS as well.

Take note of the fact these files have likely been 'dormant' for over a month, as well :eek:
Click to expand...
That gets installed via rocat swarm software, I've seen it, it's a GitHub repo I remember checking it, it wasn't mining on my pc at the time but I did notice something recently that I'll now check up on , cheers.
 
Vayra86

Vayra86

Supporter
Joined
Sep 17, 2014
Messages
20,952 (5.97/day)
Location
The Washing Machine
System Specs
Processor i7 8700k 4.6Ghz @ 1.24V
Motherboard AsRock Fatal1ty K6 Z370
Cooling beQuiet! Dark Rock Pro 3
Memory 16GB Corsair Vengeance LPX 3200/C16
Video Card(s) ASRock RX7900XT Phantom Gaming
Storage Samsung 850 EVO 1TB + Samsung 830 256GB + Crucial BX100 250GB + Toshiba 1TB HDD
Display(s) Gigabyte G34QWC (3440x1440)
Case Fractal Design Define R5
Audio Device(s) Harman Kardon AVR137 + 2.1
Power Supply EVGA Supernova G2 750W
Mouse XTRFY M42
Keyboard Lenovo Thinkpad Trackpoint II
Software W10 x64
DRDNA said:
Good catch at @ Vayra86 , I'm pretty certain Malewarebytes would have caught it during a periodical scan, no?
Click to expand...

Yes. Malwarebytes would have caught it. I actually installed that and ran it manually after tactically nuking the dll itself and it found registry entries and leftovers.

Here is the log. Some info removed.

Vya Domus said:
Nefarius software ? More like, Nefarious software.

Sorry ...
Click to expand...

Yeah its a funny coincidence but let's be clear, ScpToolKit or its dev is not involved in this at all. In the log you can also see some files in a Google Update folder for example.
 

Attachments

  • TrojanBTCMiners dd 01-09-2020.txt
    2.3 KB · Views: 195
Last edited:
micropage7

micropage7

Joined
Mar 26, 2010
Messages
9,795 (1.90/day)
Location
Jakarta, Indonesia
System Specs
System Name micropage7
Processor Intel Xeon X3470
Motherboard Gigabyte Technology Co. Ltd. P55A-UD3R (Socket 1156)
Cooling Enermax ETS-T40F
Memory Samsung 8.00GB Dual-Channel DDR3
Video Card(s) NVIDIA Quadro FX 1800
Storage V-GEN03AS18EU120GB, Seagate 2 x 1TB and Seagate 4TB
Display(s) Samsung 21 inch LCD Wide Screen
Case Icute Super 18
Audio Device(s) Auzentech X-Fi Forte
Power Supply Silverstone 600 Watt
Mouse Logitech G502
Keyboard Sades Excalibur + Taihao keycaps
Software Win 7 64-bit
Benchmark Scores Classified
nice found, personally i put malwarebytes as must have app
 
Caring1

Caring1

Joined
Oct 22, 2014
Messages
13,210 (3.80/day)
Location
Sunshine Coast
System Specs
System Name Black Box
Processor Intel Xeon E3-1260L v5
Motherboard MSI E3 KRAIT Gaming v5
Cooling Tt tower + 120mm Tt fan
Memory G.Skill 16GB 3600 C18
Video Card(s) Asus GTX 970 Mini
Storage Kingston A2000 512Gb NVME
Display(s) AOC 24" Freesync 1m.s. 75Hz
Case Corsair 450D High Air Flow.
Audio Device(s) No need.
Power Supply FSP Aurum 650W
Mouse Yes
Keyboard Of course
Software W10 Pro 64 bit
The bigger concern is how it attached itself to an existing Application that has been on the system for roughly a year, yet the miner is only 1.5 months old.
Something in that Toolkit allows entry and has been exploited.
 
R-T-B

R-T-B

Supporter
Joined
Aug 20, 2007
Messages
20,787 (3.41/day)
System Specs
System Name Pioneer
Processor Ryzen R9 7950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage 2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software Gentoo Linux x64
Vya Domus said:
Nefarius software ? More like, Nefarious software.

Sorry ...
Click to expand...

He's a legit dev (nefarius software is his company). He makes scptoolkit which is a ps3 controller must have or something. I know him from my work with vjoy.

I wonder what in the world that's doing in there...

Also the problem with reporting these to win defender is some people WANT to run these mining apps, and they do have a legit use case. Hence, windows defender tends to whitelist them when their devs complain along that line of thought. The issue isn't that dll. It's the malware bundling the miner. You need to find what what included that before you can have a succesful report, as the miner is legit open source software most likely.
 
Last edited:
You must log in or register to reply here.
Top