RiskWare.BitCoinMiner

Short bio

RiskWare.BitCoinMiner is Malwarebytes’ generic detection name for crypto-currency miners that may be active on a system without user consent. These do not necessarily mine for Bitcoins, it could be mining for a different crypto-currency. Crypto-currency miners use a lot of resources to optimize the earning of the virtual currency. For this reason, threat actors try to use other people’s machines to do the mining for them. This detection warns you that a bitcoin miner is active on your system, but it has no way of checking whether it is working for you or for someone else. That is why these bitcoin miners are detected as riskware.

Riskware, in general, is a detection for items that are not strictly malicious, but pose some sort of risk for the user in another way.

Symptoms

Users may notice a very slow computer as most of the CPU cycles will be used up by the miner. The process-names may vary but NsCpuCNMiner32.exe and NsCpuCNMiner64.exe are very common ones, which are not necessarily malicious.

CPU usage miner

Source and type of infection

Extended use of crypto-miners can cause overheating of systems and high power usage.
The most common infection method for unsolicited bitcoin miners are bundlers. However, there are many other infection methods in use.

Protection

Malwarebytes protects users from RiskWare.BitCoinMiner by using real-time protection.

block RiskWare.BitCoinMiner

Malwarebytes blocks RiskWare.BitCoinMiner

Remediation

Malwarebytes can remove RiskWare.BitCoinMiner for you if you decide that you want to get rid of it.

Add an exclusion

Should users wish to keep this program and exclude it from being detected in future scans, they can add the program to the exclusions list. Here’s how to do it.

The Exclusions tab includes a list of items to be excluded from scans. The items may include files, folders, websites, or applications that connect to the Internet, as well as previously detected exploits.

To access the exclusions in Malwarebytes:

Traces/IOC

Filenames: NsCpuCNMiner32.exe, NsCpuCNMiner64.exe, and many others run with arguments similar to this:

-o stratum+ssl://xmr-eu1.nanopool.org:14433 -u {wallet address} -p x

where the wallet address may or may not be yours.

Common domains: coinhive.com, minergate.com,

Related blog content

Why is Malwarebytes blocking CoinHive?

How cryptocurrency mining works: Bitcoin vs. Monero