Sign In with your
Trend Micro Account

若您需要技術支援,請 按此建立案件。

Frequently Asked Questions (FAQ) about Cryptocurrency and Cryptocurrency Malware

    • 更新於:
    • 28 Apr 2019
    • 產品/版本:
    • OfficeScan 11.0
    • OfficeScan XG.All
    • Deep Security 11.0
    • Deep Security 11.1
    • Deep Security 11.2
    • Deep Security 10.0
    • Deep Security 10.1
    • Deep Security 10.2
    • Deep Security 10.3
    • Worry-Free Business Security Standard/Advanced 10.0
    • Worry-Free Business Security Standard/Advanced 9.0
    • Worry-Free Business Security Standard/Advanced 9.5
    • Worry-Free Business Security Services 6.0
    • Worry-Free Business Security Services 6.1
    • Worry-Free Business Security Services 6.2
    • Worry-Free Business Security Services 6.3
    • Worry-Free Business Security Services 6.5
    • Apex One All.All
    • Worry-Free Business Security Services 6.6
    • 作業系統:
    • N/A N/A

The first decentralized cryptocurrency, bitcoin, sparked the creation of other cryptocurrencies. As cryptocurrencies became popular, threat actors have learned to adapt. From wire transfers, to gift cards, and prepaid vouchers, ransomware payment transitioned to cryptocurrencies. However, there's a new menace that have been gaining popularity since 2017 - cryptocurrency malware. Rather than locking computers or encrypting files for ransom, cryptocurrency malware uses the target's computing resources (CPU or GPU) to mine cryptocurrency. Learn more about cryptocurrency malware and how to defend against it.


To understand what cryptocurrency is, let’s consider the following statement from Satoshi Nakamoto’s bitcoin whitepaper:

“A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution.”


  • Peer to peer - each node acts as a server for the information stored upon it removing the need for a central server
  • electronic - no physical money involved
  • without going through a financial institution - no trusted third-parties like banks are involved

Based on this, we can infer that cryptocurrency is a digital currency which is decentralized and non-trust based. There are other cryptocurrencies aside from bitcoin called altcoins (alternative coins). Some of the most common are Ethereum (ETH), Litecoin (LTC), Zcash (ZEC), Dash (DASH), Ripple (XRP), Monero (XMR), Bitcoin Cash (BCH), Neo (NEO), Cardano (ADA), and EOS (EOS).

Mining is the process of verifying transactions and adding them to the blockchain. Blockchain is like a public ledger that contains all the previous transactions. Cryptocurrency is given to miners as a reward for validating the previous transactions.

Cryptocurrency can be obtained through legitimate means such as:

  • Solo mining – A miner performs the mining operations alone and gets the entire reward for mining a block.
  • Pool mining – Miners join together in a mining pool and the reward for mining a block is distributed depending on the method.

On the other hand, cryptocurrency can also be obtained through illegitimate means such as:

  • Cryptojacking – Unauthorized use of someone else’s computing resources to mine cryptocurrency

This may involve different types of coinminers such as web, local, and fileless which can also be a part of a mining pool. The motivation for cryptojacking is financial which is similar to ransomware.

Malware authors have been very creative in terms of delivering cryptocurrency malware. Here are some of the known infection channels:

Network Monitoring

Cryptocurrency mining requires Internet to communicate with the mining pool or the cryptocurrency network. As such, it should generate an identifiable network traffic that could signify a possible mining activity.
However, attackers can make use of secure communication channels such as SSH Tunnel or TOR network. In this case, further investigation is required to identify whether the network activity is normal or not. A server communicating with a TOR network should already be a subject for investigation.

Deploy solutions that are capable of detecting anomalies in the network. Trend Micro Deep Discovery Inspector provides 360 degrees of visibility by monitoring all network ports and over 105 different protocols.

Performance Monitoring

Mining requires computing resources – CPU or GPU. This can make the computer run slower and consume more electricity. Performance monitoring is perhaps the easiest way to identify whether a computer is being cryptojacked. If a server normally running on 50% CPU suddenly jumps to 90% or above, it is safe to assume that it’s infected with a coinminer.

However, doing this in real-time over a large network is what makes it difficult. Additional software such as Nagios maybe required.

Malicious coinminers should generally be detected and cleaned by your endpoint security. If you suspect that your computer is infected but nothing is being detected, collect suspicious files and system information and submit the logs to Trend Micro Technical Support for analysis.

Coinminers come in different forms (web, local, fileless) and arrive in different ways. They can be unknowingly installed by the user or downloaded by other malware too. Like ransomware, there is no silver-bullet in protecting against coinminers. A combination of layered security and safe practices is a must. Learn how to prevent your computer from getting infected with coinminers:

Don’t be a Coinmining Zombie – Part 2: How Do You Protect Yourself from being Cryptojacked?

Remove a Malware / Virus



若您需要協助,請聯繫對應的技術支援窗口. 聯絡我們

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.