Home » bitcoin tapper » High CPU Utilization Bitcoin Miner Malware: How to Solve

High CPU Utilization Bitcoin Miner Malware: How to Solve

High CPU Utilization Bitcoin Miner Malware: How to Solve

This is a write-up of a malware infection PEI has bot engaged to address. This postbode is fairly brief for a Switch sides Engineering and honestly speaking, there isn’t much to switch roles engineer when the malware developer is polite enough to leave a accomplish and nicely organized loom verkeersopstopping behind describing exactly what they did.

Finding the Malware

I began working on this the very first week of October 2018. Our customer called ter and reported a financial database not being accessible to users. A very first look at vCenter exposed Five line of business servers with 80%+ CPU utilization and the Oracle11g database service being stopped, presumably due to lack of CPU resources.

Very first order of business for CPU UTIL is ProceXP from Sysinternals, this is what I found:


SPP SCV .EXE is intended to mimic Windows Software Protection Verhoging SPP SVC .EXE this is the core cryptocurrency miner executable.

The developer also implemented a well-known commercially available (and not-malicious) service manager that is capable of

  1. Detecting app crash or service stoppage te case of user attempting to kill the process
  2. Re-installing service if user liquidates it
  3. Cpu watchdog monitors of miner ensures core OS resources are not starved for CPU

Looking further through Process Explorer, wij find the opstopping resides ter C:\windows\Fonts directory. This makes it stiffer for a normal user to liquidate spil on Windows 7, 8 and Ten this is a ‘themed’ directory and by default only font files are displayed te verkeersopstopping explorer.

Not to fear, you can use Windows Commander, WinDirStat or any other alternative verkeersopstopping explorer software to work around this. I used WinDirStat since it wasgoed already installed. I wasgoed able to not only see the executable, but handy enough, the bad guys included an AWESOMELY finish loom verkeersopstopping.

157MB of cleartext dating back to the precies date and time of infection (yes, that is almost 6 months ago). Professional peak: don’t open it te notepad, that won’t work.

The malware devs were VERY thorough ter logging all their deeds and nice enough to include the url and port number pointing back to their instruction and control center.

Looking at the traffic loom, it shows up we’re contacting a instruction and control center ter France through a JSON API using a non-standard port number.

This is neat and neat, most botnets use IRC. The problem with IRC is nobody else other than botnets uses it thesis days, so security conscious organizations block IRC protocol altogether. Using JSON API calls permits the bad guys to sneak through.

A quick WHOIS lookup of the registered domain exposes a handy phone number to voeling the French registrar should you want to commence your legal activity.

Wij also see the NAME AND NUMBER of the company this domain is registered to. So yeah, you can call them! You can call and ask why are they mining bitcoin with your servers.

(I have omitted the name of the company and phone number so I don’t have to have a meeting with Legal.)

How to block malicious traffic

A more practical method to zekering the attack dead te its tracks is to tell your firewall admin to black-hole the route to the IP address of the instruction and control center.


Truthfully, this infection wasn’t very hard to contain. Simply locating the service manager and actual miner service and deleting them after stopping both services wasgoed enough for the infection to remain contained.


The source of infection te this case wasgoed effortless to detect. One of the servers infected wasgoed a domain controller. The company only has a single sysadmin with access to the domain controller…

This attack is very different than a cryptolocker infection mainly spil it’s more of an annoyance than an all-stop to your business.

This is not custom-made malware. Simply running Malwarebytes exposed the infection (albeit it could not fairly liquidate it due to the service manager being present).

So why did the infection occur te the very first place if this is a common form of malware?

No Anti-Virus ter place. That’s indeed it. All that wasgoed needed to zekering the infection from occurring wasgoed install and monitor quality Anti-Virus software.

Wij can do that for you BTW. Maybe wij should talk… 303-974-6881.

Related movie: Numerous Crypto Coins & Ethereum Mining From Your Hardware

Leave a Reply

Your email address will not be published. Required fields are marked *