RiskWare.BitCoinMiner

Short Bio

RiskWare.BitCoinMiner is a generic detection for crypto-currency miners that may be active on a system without user consent. These do not necessarily mine for Bitcoins, it could be mining for a different crypto-currency. Crypto-currency miners use a lot of resources to optimize the earning of the virtual currency. For this reason, threat actors try to use other people’s machines to do the mining for them. This detection warns you that a bitcoin miner is active on your system, but it has no way of checking whether it is working for you or for someone else. That is why these bitcoin miners are detected as riskware.

Riskware, in general, is a detection for items that are not strictly malicious, but pose some sort of risk for the user in another way.

Symptoms

Users may notice a very slow computer as most of the CPU cycles will be used up by the miner. The process-names may vary but NsCpuCNMiner32.exe and NsCpuCNMiner64.exe are very common ones, which are not necessarily malicious.

CPU usage miner

Source and type of infection

The most common infection method for unsolicited bitcoin miners are bundlers. However, there are many other infection methods in use.

Aftermath

Extended use of crypto-miners can cause overheating of systems and high power usage.

Protection

Malwarebytes blocks the main process of the miner and block internet traffic to some of the domains that are used on systems without the users’ consent.

blocked miner

blocked domain

Remediation

Malwarebytes can remove RiskWare.BitCoinMiner for you if you decide that you want to get rid of it.

If you intentionally installed it, you can add it to your exclusions. Here’s how to do it.

Traces/IOC

Filenames: NsCpuCNMiner32.exe, NsCpuCNMiner64.exe, and many others run with arguments similar to this:

-o stratum+ssl://xmr-eu1.nanopool.org:14433 -u {wallet address} -p x

where the wallet address is not yours.

Common domains: coinhive.com, minergate.com,

Related blog content