Minas is a Multi-Stage Cryptominer Malware

Minas, a malicious software designed for cryptocurrency mining, is an insidious threat that exploits the XMRIG application, originally intended for legitimate Monero mining. This particular type of malware exerts tremendous pressure on infected machines, thereby jeopardizing the overall health of the system and its hardware.

Minas employs various sophisticated techniques to elude detection and ensure its longevity. Its primary objective is to engage in the mining of cryptocurrencies, a process that involves utilizing computer power to solve complex mathematical problems in order to generate digital currency.

The act of mining necessitates robust hardware, which prompts cybercriminals to often exploit the devices of unsuspecting victims or harness entire botnets for this purpose, rather than investing in their own equipment.

The Minas Infection Chain, Step by Step

The summary of the infection chain goes as follows:

  • Through the Task Scheduler, a PowerShell script is executed, fetching the lgntoerr.gif file from a remote server.
  • Upon decryption, lgntoerr.gif transforms into a .NET DLL, which is then loaded.
  • The .NET DLL extracts and decrypts three files: two DLLs and an encrypted payload, placing them in the ProgramData directory.
  • A task is created by the .NET DLL to automatically run the legitimate ilasm.exe component during system startup using Task Scheduler.
  • Task Scheduler initiates ilasm.exe from the ProgramData directory.
  • ilasm.exe launches fusion.dll, a malicious DLL hijacker, also residing in the same directory.
  • fusion.dll loads the second decrypted DLL.
  • The second DLL generates a suspended dllhost.exe process.
  • The payload within the encrypted binary file is decrypted by the second DLL.
  • The decrypted payload is injected into the dllhost.exe process as a DLL.
  • The Process ID (PID) of the dllhost.exe process is saved in a file within the ProgramData directory.
  • Control is passed to the decrypted payload within the dllhost.exe process.
  • The payload DLL extracts and executes the miner DLL in the computer's memory.
  • In essence, these steps outline the progression of the infection chain, each stage contributing to the execution of the malicious miner component.

Why Are Cryptominers a Menace to the System as a Whole?

By exploiting system resources such as CPUs and GPUs, cryptominers consume a significant amount of computational power to generate digital currencies. This unauthorized and excessive usage can monopolize up to 100% of the device's resources, resulting in frequent system freezes, crashes, and other severe issues that render the affected device virtually unusable.

Moreover, the excessive strain on the system is likely to cause overheating. When combined with other factors like poor ventilation, high room temperature, and similar conditions, this excessive heat can inflict irreversible damage on the hardware, essentially "frying" the components.

To summarize, the presence of Minas or similar malicious software on devices can have dire consequences. These include diminished system performance, system failures, permanent loss of data, hardware deterioration, and substantial financial losses.

May 19, 2023

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.