A family of Monero Miners is found spreading through cloud storage providers such as OneDrive, Google Drive and Dropbox. It also has the ability to mutate or change itself to try to avoid detection.This malware can also spread via removable drives.The volume of unique samples is relatively large, as more than 160,000 unique samples were submitted to VirusTotal over a period of 90 days.
This malware’s main objective is to mine Monero. It includes in its body a version of XMRig miner. The system infected with this malware will be noticeably slow, as the cryptominer will consume most of the CPU. It can spread itself via public cloud storage by dropping several copies of itself in “Public” folders. It looks for the availability of the following files before dropping itself in those directories:
When the above folders exist, it will drop a copy of itself with the following filenames:
Each time this malware is executed, it looks for any executable file in the “Program Files” folder and replaces it with a mutated copy of itself. This means, whatever application it replaced will now become the GoMiner.