# PSA: XMRig Cuda miner... not caught by Win Defender.



## Vayra86 (Sep 1, 2020)

There used to be a CPU version of this BTC miner.

I just caught one using CUDA on my rig, pushing GPU usage to 100% at boost clock and using over 3GB VRAM. Was wondering why PC made noise in idle since a few days and started looking manually.

Found a set of files nested in an application that's been on the PC for over a year. For analysis: the application will hide and stop itself immediately when you go out of idle, and activate itself when in idle time for about 2-3 minutes. Therefore quickly opening task manager to see what's happened is not going to work for you. I tracked it down with timestamps and MSI Afterburner OSD monitoring.






The highlighted dll will come up with all sorts of goodness if you search it.
Sent a report to MS as well.

Take note of the fact these files have likely been 'dormant' for over a month, as well


----------



## DRDNA (Sep 2, 2020)

Good catch at @ *Vayra86 ,* I'm pretty certain Malewarebytes would have caught it during a periodical scan, no?


----------



## Vya Domus (Sep 2, 2020)

Nefarius software ? More like, Nefarious software.

Sorry ...


----------



## TheoneandonlyMrK (Sep 2, 2020)

Vayra86 said:


> There used to be a CPU version of this BTC miner.
> 
> I just caught one using CUDA on my rig, pushing GPU usage to 100% at boost clock and using over 3GB VRAM. Was wondering why PC made noise in idle since a few days and started looking manually.
> 
> ...


That gets installed via rocat swarm software, I've seen it, it's a GitHub repo I remember checking it, it wasn't mining on my pc at the time but I did notice something recently that I'll now check up on , cheers.


----------



## Vayra86 (Sep 2, 2020)

DRDNA said:


> Good catch at @ *Vayra86 ,* I'm pretty certain Malewarebytes would have caught it during a periodical scan, no?



Yes. Malwarebytes would have caught it. I actually installed that and ran it manually after tactically nuking the dll itself and it found registry entries and leftovers.

Here is the log. Some info removed.



Vya Domus said:


> Nefarius software ? More like, Nefarious software.
> 
> Sorry ...



Yeah its a funny coincidence but let's be clear, ScpToolKit or its dev is not involved in this at all. In the log you can also see some files in a Google Update folder for example.


----------



## micropage7 (Sep 2, 2020)

nice found, personally i put malwarebytes as must have app


----------



## Caring1 (Sep 3, 2020)

The bigger concern is how it attached itself to an existing Application that has been on the system for roughly a year, yet the miner is only 1.5 months old.
Something in that Toolkit allows entry and has been exploited.


----------



## R-T-B (Sep 3, 2020)

Vya Domus said:


> Nefarius software ? More like, Nefarious software.
> 
> Sorry ...



He's a legit dev (nefarius software is his company).  He makes scptoolkit which is a ps3 controller must have or something.  I know him from my work with vjoy.

I wonder what in the world that's doing in there...

Also the problem with reporting these to win defender is some people WANT to run these mining apps, and they do have a legit use case.  Hence, windows defender tends to whitelist them when their devs complain along that line of thought.  The issue isn't that dll.  It's the malware bundling the miner.  You need to find what what included that before you can have a succesful report, as the miner is legit open source software most likely.


----------

