Freely subscribe to our NEWSLETTER

At the end of January, Kaspersky experts noticed a drastic surge in the detection of fake applications that deliver a Monero cryptocurrency miner to users’ computers. The apps are distributed through malicious websites that may turn up in the victim’s search results. This appears to be a continuation of a summer campaign reported by members of the security community. Back then, cybercriminals distributed miners under the guise of an antivirus installer.

The second wave of XMRig installer attacks in 2021 impersonates several other applications, such as ad blockers AdShield and Netshield, as well as the OpenDNS service. Distributed under legitimate names, the malware impersonates Windows versions of the mobile applications. After the user starts the program, it changes the DNS settings on the device so that all domains are resolved through the attackers’ servers which, in turn, prevents users from accessing certain antivirus sites, such as Malwarebytes.com. As a final payload, the package contains the infamous open-source XMRig miner.

According to data from Kaspersky Security Network, at the time of preparing this article at the beginning of February 2021, there had been attempts to install fake apps on the devices of 21,141 users.

Number of users attacked, August 2020 – February 2021

At the peak of the campaign, more than 2,500 users per day were attacked, with most of the victims located in Russia and CIS countries.
Kaspersky’s security solutions detect the above-described threats with the following verdicts:
• Trojan.Win64.Patched.netyyk
• Trojan.Win32.DNSChanger.aaox
• Trojan.Win64.Miner.gen
• HEUR:Trojan.Multi.Miner.gen