RiskWare.BitCoinMiner

Short bio

RiskWare.BitCoinMiner is Malwarebytes’ generic detection name for crypto-currency miners that may be active on a system without user consent. These do not necessarily mine for Bitcoins, it could be mining for a different crypto-currency. Crypto-currency miners use a lot of resources to optimize the earning of the virtual currency. For this reason, threat actors try to use other people’s machines to do the mining for them. This detection warns you that a bitcoin miner is active on your system, but it has no way of checking whether it is working for you or for someone else. That is why these bitcoin miners are detected as riskware.

Riskware, in general, is a detection for items that are not strictly malicious, but pose some sort of risk for the user in another way.

Symptoms

Users may notice a very slow computer as most of the CPU cycles will be used up by the miner. The process-names may vary but NsCpuCNMiner32.exe and NsCpuCNMiner64.exe are very common ones, which are not necessarily malicious.

CPU usage miner

Source and type of infection

Extended use of crypto-miners can cause overheating of systems and high power usage.
The most common infection method for unsolicited bitcoin miners are bundlers. However, there are many other infection methods in use.

Protection

Malwarebytes protects users from RiskWare.BitCoinMiner by using real-time protection.

block RiskWare.BitCoinMiner

Malwarebytes blocks RiskWare.BitCoinMiner

Remediation

Malwarebytes can remove RiskWare.BitCoinMiner for you if you decide that you want to get rid of it.

  1. Please download Malwarebytes to your desktop.
  2. Double-click MBSetup.exe and follow the prompts to install the program.
  3. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen.
  4. Click on the Get started button.
  5. Click Scan to start a Threat Scan.
  6. Click Quarantine to remove the found threats.
  7. Reboot the system if prompted to complete the removal process.

Add an exclusion

Should users wish to keep this program and exclude it from being detected in future scans, they can add the program to the exclusions list. Here’s how to do it.

  • Open Malwarebytes for Windows.
  • Click the Detection History
  • Click the Allow List
  • To add an item to the Allow List, click Add.
  • Select the exclusion type Allow a file or folder and use the Select a folder button to select the main folder for the software that you wish to keep.
  • Repeat this for any secondary files or folder(s) that belong to the software.

If you want to allow the program to connect to the Internet, for example to fetch updates, also add an exclusion of the type Allow an application to connect to the internet and use the Browse button to select the file you wish to grant access.

Traces/IOC

Filenames: NsCpuCNMiner32.exe, NsCpuCNMiner64.exe, and many others run with arguments similar to this:

-o stratum+ssl://xmr-eu1.nanopool.org:14433 -u {wallet address} -p x

where the wallet address may or may not be yours.

Common domains: coinhive.com, minergate.com,

Select your language