Minerva Labs has recently discovered a new cryptocurrency mining campaign that uses evasion techniques to avoid being detected. In the campaign dubbed “WaterMiner”, malicious code was delivered to innocent gamers, hidden in gaming ‘mods’. Once the gamer runs the ‘mod’, unknowingly his machine is abused to produce financial gains for the attacker by mining cryptocurrency.

What is cryptocurrency mining and what’s in it for cyber-attackers?

Cryptocurrencies are becoming an increasingly common method of payment, with Bitcoin the most widely adopted example and accepted by well-known retailers like Expedia.

But Bitcoin is not the only cryptocurrency out there. There are more than 10 different cryptocurrencies with a market cap exceeding 1 billion US dollars including Ethereum, Litecoin, ZCash and Monero.

Crypto-mining is the crowdsourcing process where mining programs use the computer’s hardware resources to mine different types of cryptocurrencies. The process of crypto-mining will generate some cryptocurrency reward to the people who put these programs to work.

Crypto-mining malware is a mining program that abuses its victim’s resources to perform the heavy computational operations required in the mining process, while the cybercriminal collects the reward for the mining.

Lately, there has been an increase in malware mining a specific type of cryptocurrency – Monero. Monero’s design makes it anonymous and virtually untraceable, causing it to be highly popular among cybercriminals.




The Monero ‘Gold Rush’

Like the original Gold Rush from the late nineteenth century, mining cryptocurrency is widely becoming an ‘easy money’ fad. Minerva Labs has recently unveiled the mining of Monero in a ‘gold rush-like’ campaign which is abusing the computational power of endpoints. This could bring organizations to a halt when an attacker gets a foothold on the endpoint and runs crypto miner malware.

The WaterMiner Campaign

Dubbed by Minerva, the “WaterMiner” campaign it infects victims with a simple yet effective Monero mining malware, which is designed to evade endpoint monitoring tools.

The attackers spread WaterMiner by illicitly bundling this crypto-mining malware with gaming “mods”, which were intended to patch computer games in order to augment or bypass the original functionality of the game. The campaign distributed the malicious software on a Russian-speaking forum. For instance, one of the Trojanized mods claimed to “enhance” the popular R-rated game GTA. It was distributed to the victims under the name “Arbuz” – watermelon in Russian, which is why we named the campaign WaterMiner.

Who is behind WaterMiner?

In the world of cybercrime, we often come-across well-organized gangs. However, it seems that Monero also attracts resourceful individuals who are not the classic attackers we might imagine as criminal masterminds.

We believe we have tracked the person behind the WaterMiner campaign. He appears to hide under the alias “Martin Opc0d3r”, and has some history in developing other forms of questionable or malicious software, such as auto-aiming bots and mods for computer games. However, it seems that lately he realized it’s possible to earn money from his popular mods by infecting his “clients” with multiple types of malware, including crypto-miners.

At the moment, crypto-miners are not very sophisticated and blacklisting host and port combinations will successfully block most miners. However, we predict that mining-malware will become increasingly sophisticated and will maneuver around firewall and IPS\IDS products.


To get the full report on the WaterMiner campaign here.