AcruxMiner
The AcruxMiner software is a digital coin miner that has been associated with malware activity since May 2018. The AcruxMiner program has been promoted on Russian forums like h[tt]ps://bhf[.]io that offers access to Remote Access Trojans, brute force tools and misappropriated Web user credentials primarily. The first advertisement concerning the AcruxMiner was noticed at h[tt]ps://bhf[.]io/threads/484895/. The AcruxMiner program is developed as a Botnet Trojan that is specialized in mining Monero (XMR) digital coins. The AcruxMiner can be deployed to compromised servers, as well as desktops. The creators of AcruxMiner offer access to a Bot Builder hosted on the TOR Network once you buy a subscription using the Telegram messaging service. The AcruxMiner is managed as a Miner-as-a-Service (MaaS) platform that benefits from multiple distributors that infect devices and expand the AcruxMiner Botnet.
The first subscription tier for the AcruxMiner Botnet allows threat actors to receive manuals, customized technical support, and personal configuration of the AcruxMiner. The basic version of AcruxMiner is promoted to verify Monero transactions (mine) utilizing available video cards (GPU) and central processor (CPU). The first tier is priced at $50 and the prices for the second tier dubbed "Premium" are negotiable depending on the user's needs. The second tier of AcruxMiner subscription enables threat actors to use a custom mining algorithm, set up multi-factor auto-load, and enable system persistence. The AcruxMiner comes with an encrypted wallet and the ability to auto-infect USB sticks attached to already compromised computers. The AcruxMiner is known to include a rootkit and recover its files if compromised users attempt to remove it.
The AcruxMiner Botnet is written on the ASM/C/C++ programming languages and has no dependencies. The AcruxMiner Botnet can read the content of the system clipboard and map connected computers. Malware researchers have reported that the AcruxMiner is likely the work of Russian-speaking actors given the promotional campaign and connections to Russian IP addresses exclusively. AV companies are tracing the development of AcruxMiner and alert the following IP addresses are used to send commands to the AcruxMiner Botnet:
62.109.28.97
81.177.135.133
81.177.141.211
82.146.60.216
Domains hosting the AcruxMiner:
h[tt]p://antongas-fx[.]ru
h[tt]p://bill.gopetrom[.]com
h[tt]p://bticoin[.]su
h[tt]p://reveszn[.]ru
The AcruxMiner Botnet is used to mine for Monero by connecting to the following mining pool — h[tt]p://xmr.pool[.]minergate.com:45700. Computers affected by the AcruxMiner are likely to perform poorly; you may notice random process names appearing in the Task Manager; you may notice increased CPU load and software crashing due to lack of RAM. The AcruxMiner Botnet may be distributed via spam emails, fake browser updates, pirated games, brute force attacks and malvertising. It is recommended to remove the AcruxMiner Botnet Trojan using a trusted anti-malware service. Detection names for the AcruxMiner Botnet include:
BehavesLike.Win32.Pate.vc
DeepScan:Generic.Application.CoinMiner.1.31B24370
HEUR/QVM19.1.0757.Malware.Gen
PUA.VMProtect
Packed-GV!570A9CC9FD20
Packed.Vmpbad!gen38
TROJ_GEN.R002C0OKD18
TScope.Malware-Cryptor.SB
Trojan.Agent.Miner
Trojan.Win32.CoinMiner.2542080
Trojan/Win32.Miner.C2834012
Trojan:Win32/Fuerboos.C!cl
Win.Dropper.Temonde-6571898-0
Win32.Application.CoinMiner.T@gen
Win32.Trojan.Miner.Stkk
a variant of Win32/CoinMiner.EQ potentially unwanted
