Crypto miners were the most detected malware family in H1 2021

William S. | September 21, 2021

Cryptojacking is the unauthorized use of someone else's device to mine cryptocurrency. It typically happens when a victim unknowingly installs cryptocurrency miner malware through a phishing link, malicious website, or software download, enabling the criminals to access the victim's device.

According to the data presented by the Atlas VPN team, cryptocurrency miners were the most common malware family, with 74,490 such threats detected in the first half of 2021.

Crypto-mining malware is not easily discoverable on victims' devices, making it a continuously profit-generating cyberattack. The anonymity of cryptocurrencies is very convenient for threat actors, as they can benefit from their victims without being caught.

The data is based on Trend Micro Attacks from All Angles: 2021 Midyear Cybersecurity Report. The research examines dangerous vulnerabilities across different devices and operating systems, including the threats targeting these flaws.

In addition to cryptocurrency miners, WannaCry ransomware threats were seen 61,068 times in the first half of 2021. WannaCry is a ransomware cryptoworm, which targets devices running the Windows operating system and spreads across networks. It was responsible for a worldwide cyberattack in 2017, which affected about 200,000 computers across 150 countries.

What is more, malware detection infrastructure identified 39,612 webshell threats in H1 2021. A webshell attack happens when a malicious user successfully exploits web servers and enables remote access to the affected machines. An attacker could essentially do anything on the victim's computer once they have access.

Security infrastructure also detected 39,095 Downad adware threats and 35,276 Nemucod trojan threats. Other commonly found malware families in H1 2021 include Dloader (32,397), Sality (28,310), Equated (24,564), Powload (22,921), and Virux (22,865).

Most active types of crypto miners

Cybercriminals seek to infect as many computers as possible to increase their profits. Different types of crypto miners help hackers turn computers into robots with one task only — generating more cryptocurrency.

The most active cryptocurrency miner in the first half of 2021 was MalXMR, with 44,587 detections. MalXMR is a crypto-mining malware that exploited EternalBlue for propagation and abused Windows Management Instrumentation (WMI). During the infection, high CPU utilization can be noticed with powershell.exe or schtasks.exe.

Coinminer came up second with a total of 8,533 detections in H1 2021. Coinminer can usually be found on Android phones in fake versions of popular apps from third-party sources. Some crypto miners were even found on Google Play Store apps. The infected device may overheat, charge slowly or show other signs of heavy resource processing.

Next up, ToolXMR crypto miner was identified 6,419 times in the first half of 2021. ToolXMR mines Monero cryptocurrency and is usually dropped by other malware from remote sites. Like MalXMR, it uses the system's CPU and GPU resources to mine cryptocurrency, making the computer run painfully slow.

Lastly, CoinMine and MalBTC round out the top 5 most detected cryptocurrency miners list with 4,082 and 2,328 identifications, respectively.

Cryptocurrency mining malware has allowed cybercriminals to earn profit with more efficiency and less effort. Unfortunately, attack victims are often left with higher electricity bills and slower device performance, the latter of which can make them more susceptible to information theft, hijacking, and other subsequent cyberattacks.