Trend Micro recently came across a botnet that turns an infected system into an involuntary Bitcoin miner. BKDR_BTMINE.MNR installs the mining software onto affected systems. It uses the system’s resources to solve Bitcoin blocks in order to generate more Bitcoins.
A Bitcoin “block” is a complex cryptographic problem. Solving a block pays out 50 Bitcoins and blocks are created every time a Bitcoin transaction is made. The process of solving these blocks is called “mining”. The only way to solve a block is by brute-forcing, which eats up system resources. To speed up the computation of a block, mining pools are created. The equation is split up into pieces and is solved by multiple systems. The incentive is based on how much a miner contributes to the solution.
Here, BKDR_BTMINE.MNR installs three different mining software and runs whatever the system’s processing speed can allow. To help speed up the processing, the malware downloads necessary drivers for the GPU and CPU of the affected system. If blocks are solved, attackers gain ownership of the generated Bitcoins.
We also found another malware detected as BKDR_BTMINE.DDOS, which is a component of BKDR_BTMINE.MNR. BKDR_BTMINE.DDOS can perform distributed denial of service (DDoS) attacks on targeted entities. The malware can also obtain a list of targeted websites from remote sites. The DDoS component may be used to attack competing Bitcoin miners and limit their processing power. The malware also tries to communicate with a long list of IP addresses. A list of more than 2,000 IP addresses is hardcoded in the malware and is constantly updated upon execution.
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
