Malware News CryptoMiner, “TaksHostMiner”, Has Compromised Over 10000 Computers in Just One Day

Fel Grossi

Level 13
Thread author
Verified
Top Poster
Well-known
Jan 17, 2014
619
Recently, 360 Security Center discovered a new CryptoMiner Trojan that infected tens of thousands of computers in one day. This Trojan is installed with game plugins and infects user’s computer while executing the plugin. The Trojan also monitors task manager and ends itself while user is checking task manager and CPU usage. We named it “TaksHostMiner”.

Analysis

The Trojan is bundled with various game cracking plugins to infect victims‘ computers. It decompresses itself from a self-extractable rar file to folder C:\ProgramData\Adobe\AdobeRTF, executes start.vbs for mining and hides related files by hide.vbs.

start.vbs runs start.bat every 15 seconds.

start.bat kills mining processes taskhost.exe if task manager and related processes are running. Otherwise, it executes config64.vbs to run config64.bat and restart the mining Trojan. The Trojan also hides itself in logs files such as C:\ProgramData\Windows\Logs\takshost.exe or C:\ProgramData\Adobe\SLCache\Logs\64.exe to prevent being observed.

As can be seen from config64.bat, it executes takshost.exe which is using an open source code cpuminer-otp for mining. The mining parameters are:
takshost.exe
-a yescryptr16
-o stratum+tcp://cryply.ukkey3.space:3333 -u molch.60
-p 1
-t %NUMBER_OF_PROCESSORS%/2

hide.vbs runs hide.bat which sets Trojan files and its folder’s property as hidden.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top