WebCobra - Russian origin crypto-malware mines Monero and Zcash

WebCobra drops a different miner depending on system's architecture

WebCobra malware employs victims' machines to mine Monero or Zcash

Security experts from McAfee Labs examined^[1] a sample of WebCobra – Russian cryptojacking malware that exploits users' machines to mine Monero or Zcash. The most distinctive trait of the threat is that it drops a different payload depending on the architecture used: Cryptonight miner for x86 and Claymore’s Zcash miner for x64-based Windows systems.

WebCobra has been spotted making rounds all over the world, although the most affected countries are Brazil, South Africa, and the United States. Currently, McAfee Labs do not make any conclusions about how the malicious payload is propagated, although they believe that it is installed together with rogue freeware applications.

Cryptonight and Claymore’s Zcash are legitimate crypto mining tools but can easily be abused by hackers. The mined coins are directed to bad actors' wallets until the malware is eliminated.

WebCobra's behavioral traits

Soon after the infiltration, Microsoft installer checks for the architecture of the system. On 86x systems, it injects malicious code to svchost.exe which is then closed in an infinite loop that checks for opened window's names and shuts them down immediately if the name matches predetermined strings. The process monitor is launched, it creates another instance of svchost.exe which is configured to start the Cryptonight miner process which on itself consumes 100% of the CPU power on the compromised machine.

In the 64x environment, WebCobra first checks if an open-source packet analyzer Wireshark is running and terminates its execution if so. However, if the application is not detected, the malware checks the GPU brand and mode (it does not run unless the GPU is Radeon, Nvidia or Asus) and then creates C:\\Users\\AppData\\Local\\WIX Toolset 11.2 folder where Claymore’s Zcash miner is executed. Additionally, the virus then deletes the main dropper from the system.

The amount of crypto-jacking malware increased by 459% since 2017

Due to the rise of cryptocurrency value within the past year, crypto-malware has become a lucrative business model for cybercriminals. The system of the victim gets hijacked, and hardware components like CPU and GPU are used in order to solve complicated mathematical problems to mine Monero or other digital currency. Users can merely notice the infection, as the malware does not show any signs, although they might observe deteriorating PC performance and high electricity bills. As McAfee researchers explain:

Once a machine is compromised, a malicious app runs silently in the background with just one sign: performance degradation. As the malware increases power consumption, the machine slows down, leaving the owner with a headache and an unwelcome bill, as the energy it takes to mine a single bitcoin can cost from $531 to $26,170, according to a recent report.

While some attribute the cryptojacking increase^[2] of 459% to the NSA and the EternalBlue^[3] exploit, which is responsible for WannaCry^[4] and NotPetya worldwide attacks, the increasing value of the cryptocurrencies can also be accounted for the rise. Due to the fact that it is so easy to set up and maintain, several ransomware authors switched their business model from money extortion to crypto mining – one of the best examples is XioBa virus.^[5]

The best way to stop and prevent cryptojacking is by using reputable security solutions. Additionally, users are urged not to ignore the overloaded PC issues.