McAffee Labs discovers Russian malware ‘WebCobra’ mining Monero and Zcash

Cezar Renta

McAffee Labs researchers came across a dangerous new cryptojacking malware dubbed “WebCobra” which uses computing power from the victims to covertly mine Monero and Zcash cryptocurrencies. This new type of malware is on the rise thanks to growing cryptocurrency prices.

According to McAffee’s report, Russian malware WebCobra secretly installs Claymore’s Zcash miner or the Cryptonight miner on victims’ machines, depending on their configuration.

“On x86 systems, it injects Cryptonight miner code into a running process and launches a process monitor,” (…) “On x64 systems, it checks the GPU configuration and downloads and executes Claymore’s Zcash miner from a remote server.”

Source: McAffee

Researchers from McAffee Labs say the malware indeed comes from Russia but they discovered it in other countries around the world with the majority of the infections located in Brazil, South Africa, and the United States.

Just last week, Trend Micro discovered a sophisticated crypto mining malware that uses various obfuscation techniques, including Windows Installer. This kind of malware can remain hidden for long periods and the only clue being decreased computer performance and system stability issues.

McAffee says a sluggish-acting PC for no reason indicates the strong possibility of a malware infection (not necessarily the crypto-mining type).

“Once a machine is compromised, a malicious app runs silently in the background with just one sign: performance degradation. (…) As the malware increases power consumption, the machine slows down, leaving the owner with a headache and an unwelcome bill.”

, McAfee Labs explained.

Source: McAffee

The chart above demonstrates how malware infections have increased at the same time as Monero’s price.

The Cyber Threat Alliance (CTA) says cryptojacking has climbed by 459% this year alone. The dramatic spike is attributed to the leak of EternalBlue, a software vulnerability present in the Windows operating system. The leak happened in April 2017 when an anonymous group called the “Shadow Brokers” made a packet of stolen NSA tools available online. Sadly, the packet has been used to develop crypto mining malware that has been very difficult to stop.

Microsoft, who promptly created a patch for EternalBlue is blaming the NSA and the U.S. Government accusing them for recklessly “stockpiling” cyber-weapons.

Brad Smith, president, and chief legal officer of Microsoft declared:

“This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem, (…). Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage.”