RiskWare.BitCoinMiner

Short bio

RiskWare.BitCoinMiner is Malwarebytes’ generic detection name for crypto-currency miners that may be active on a system without user consent. These do not necessarily mine for Bitcoins, it could be mining for a different crypto-currency. Crypto-currency miners use a lot of resources to optimize the earning of the virtual currency. For this reason, threat actors try to use other people’s machines to do the mining for them. This detection warns you that a bitcoin miner is active on your system, but it has no way of checking whether it is working for you or for someone else. That is why these bitcoin miners are detected as riskware.

Riskware, in general, is a detection for items that are not strictly malicious, but pose some sort of risk for the user in another way.

Symptoms

Users may notice a very slow computer as most of the CPU cycles will be used up by the miner. The process-names may vary but NsCpuCNMiner32.exe and NsCpuCNMiner64.exe are very common ones, which are not necessarily malicious.

CPU usage miner

Source and type of infection

Extended use of crypto-miners can cause overheating of systems and high power usage.
The most common infection method for unsolicited bitcoin miners are bundlers. However, there are many other infection methods in use.

Protection

Malwarebytes protects users from RiskWare.BitCoinMiner by using real-time protection.

block RiskWare.BitCoinMiner

Malwarebytes blocks RiskWare.BitCoinMiner

Remediation

Malwarebytes can remove RiskWare.BitCoinMiner for you if you decide that you want to get rid of it.

  • Please download Malwarebytes to your desktop.
  • Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
  • Then click Finish.
  • Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  • If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.

Add an exclusion

Should users wish to keep this program and exclude it from being detected in future scans, they can add the program to the exclusions list. Here’s how to do it.

The Exclusions tab includes a list of items to be excluded from scans. The items may include files, folders, websites, or applications that connect to the Internet, as well as previously detected exploits.

To access the exclusions in Malwarebytes:

  • Click on the Settings tab in the left pane.
  • Click on the Exclusions tab.
  • Click the Add Exclusion button.
  • Select the exclusion type Exclude a File or Folder and use the Browse button to select the main folder for the software that you wish to keep.
  • Repeat this for any secondary folder(s) that belong to the software.
  • If you want to allow the program to connect to the Internet, for example to fetch updates, add an exclusion of the type Exclude an application that Connects to the Internet and use the Browse button to select the file you wish to grant access.

Traces/IOC

Filenames: NsCpuCNMiner32.exe, NsCpuCNMiner64.exe, and many others run with arguments similar to this:

-o stratum+ssl://xmr-eu1.nanopool.org:14433 -u {wallet address} -p x

where the wallet address may or may not be yours.

Common domains: coinhive.com, minergate.com,

Cybersecurity info you can’t do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Select your language