SlashNext Labs SlashNext Labs

Why Demand Ransom When You Can Crypto Mine?

January 29th 2018

Why Demand Ransom When You Can Crypto Mine?

Since the onset of malware, the ability to make money by attacking companies has become a lucrative business. As attacks became more and more prevalent, enterprises invested more in protecting themselves. They hired and trained threat researchers, and as more sophisticated tools were developed they were quickly adopted to protect the enterprise.

Like any other lifecycle, as new countermeasures became available, the attackers became more sophisticated and created new measures of attack. Again, followed by successful counter measures. Private (Enterprise) and Public (Law Enforcement) cyber security teams are more adept at handling today’s most advanced threats including ransomware, credential stealing, and ever popular trojans.

The attackers soon needed a means to hide as forensic teams have become better at tracking down and capturing/arresting attackers. Hence, the advent of the Dark Web, portions of the Internet that are not searchable or accessible by standard means and require special software to gain access, quickly spawned hidden Darknet Marketplaces with the ability to buy and sell access to compromised systems, identities and credentials and more. The cycle continues, and while it is still lucrative to run malicious campaigns, gather credentials, and access personally identifiable information, it was riskier than it was in the past especially for Ransomware. The attackers again adapted, and they decided to take advantage of intangible digital currency such as bitcoin, because bitcoin transactions can’t be traced and leave no trail.

So, what is this intangible digital currency? Well, Bitcoin is a cryptocurrency and worldwide payment system. It is the first decentralized digital currency, as the system works without a central bank or single administrator. The network is peer-to-peer and transactions take place between users directly, without an intermediary. These transactions are verified by volunteer network nodes through the use of cryptography and recorded in a public distributed ledger called a blockchain. The cryptography involved is extremely CPU intensive, and the volunteer network nodes may receive a fee or are randomly awarded a bounty for completing transactions. There are over a dozen different crypto currencies currently tracked on

Rise of Crypto Currency Miners

As crypto currency prices are rising, people are moving towards CPU mining to utilize their system resources to gain profit. Malware authors are actively taking advantage of these opportunities. After storms of ransomware, now the Internet is flooding with crypto currency miners, which utilize victim’s system resources without their permission. Hashes are generated and submitted for the attacker’s crypto currency account on pool websites. This may sound scary, but our Slashnext IAPS is steps ahead of the attackers, and through our unique approach we can successfully identify and protect our customers against malware and malware free attacks. Before any device in the network is infected, avoiding patient zero, our solution is ready to block an attack.

How It Works

“” is famous for Monero mining and being used in many recent malwares. The following chart explains increasing hash rate for Monero (XMR) currency (currently ranked 2nd). A victim’s desktop computer or laptop having processor with 2 cores and 2 threads per core can produce 65 hashes per second and in turn generate 0.40 USD for attacker in one single day.

Recently we came across a new type of crypto miner in which famous Trojan downloader Quant Loader, downloaded from malicious web sites redirected from malicious advertisement campaign, drops Monero (XMR) crypto currency miner in the victim’s machine.

The Infection Process

  1. The Quant Loader executable is downloaded from malicious website, and this could be completed via a call back from existing malware through C2 communications.
  2. Once executed, it downloads another executable from ngay1617[.]ru

  3. It copies itself into %AppData%/Roaming/44238495/csrss.exe

  4. It copies a second executable into %AppData%/Roaming/xerography.exe which is responsible for persistence of Monero miner module.

  5. The Monero miner module is copied into %AppData%/Local/Temp/152921.exe
  6. The Miner module injects malicious code in “notepad.exe”, a Windows legitimate program and submits generated hashes with following command line arguments.

    “C:\Windows\notepad.exe” -o
    4444 -u49hxvmH6yFCQVsJGdpR1t2AVDxNjMsJYAWL9
    -p x -v 0 -t 2

  7. It adds firewall rules for the existing Quant-Loader’s executable.

  8. This crypto miner utilizes 100% CPU resources and submits generated hashes to on port 4444.

Complete Process Tree:

Network Communication:

Generated hashes are submitted in JSON format.

How to check if your system is infected?

If you notice that your system is working slower than you expect, open Windows Task Manager and see if “notepad.exe” process is utilizing 100% CPU despite the fact that you are not using Notepad, if it is then your system is infected from Ngay’s Monero miner.



  • 7f55ffb0790a62ae0eb993bd241dd5234f67d1da0f5cf4c591f719b0f299631e
  • 527a757c937ad6a7a8b3f2f4fec261db3af4c10657414450085079bdd2a69715


  • Xerography.exe
  • Csrss.exe
  • Musca.dll
  • amuser.dll

Network Traces:

  • Ngay1617[.]ru
  • 37[.]59[.]54[.]205
  • 94[.]130[.]164[.]60