Amazon S3 Bucket hosted Cryptocurrency miners

by Julie Splinters - -

Cryptocurrency’s worth adheres its high rates and Bitcoin price soars over $4,000[1]. Meanwhile, hackers are responding in kind by employing and developing techniques in order to spread out Cryptocurrency miners on infected computers.

Cryptocurrency miners

Analysts from Netscope announced about the latest incident that came from an outbreak of drive-by downloads that aim to infect computers with a coin-mining virus called Zminer.

A security specialist at Netskope, Ashwin Vamshi, explains how Zminer works: an exploit kit, which the Virus lands from, is connected to an Amazon S3 storage bucket.[2]v The Zminer aims to grab a couple of payloads: the first one is Claymore CryptoNote CPU Miner – mining service exploited in producing Monero (open-source cryptocurrency)[3]; another one, Manager.exe, which commands the mining and contains instructions for the Windows Task Manager.

According to A. Vamshi, when a victim’s device gets infected by an exploit kit, the compromised computer is driven through those drive-by-download portals. Unfortunately, there is not enough evidence of certain sites or range of sites that can lead to Zminer.

However, there is a twist that Zminer, just after launching the compromised machine, adds a few keys on the system registry, thus disabling Windows Defender. The security specialist also notes that he has never seen any variations of this virus attempting to harm other antimalware or host-based interference prevention software.

In addition, A. Vamshi added:

“On a network side, given that the communication to download the payload is over HTTPS and the interaction with a managed cloud application Amazon AWS, if network-IPS does not have the capability to inspect encrypted channels and understand activity-level transactions of Amazon AWS, they would fail to protect enterprise customers”.

Recently, FireEye announced that Neptune is used to allocate miners through malvertising by hackers. It was said that the exploit kit has been altering compromised devices with popups from false hiking advertisements in order to operate kit landing sites and to address to HTML and Adobe Flash exploits. Additionally, those sites, which convert YouTube video files into MP3, are also involved in these attacks.

Netskope also provided information about two different attacks, which mined 101 Monero (about $8,300) and 44 Zcash (about $10,100) so far. Zminer malware uses Monero on 32-bit, while Zcashed is used on 64-bit.

Cryptocurrency mining operations often require high power of computing and the CPU management will be directly influenced by the miner. This can cause slower functioning of machines and workstations. So far, Zminer was only observed to disable Windows Defender with no other attempts to avoid detection of CPU usage. Thus, if you notice that your CPU usage is higher than normal, your computer might be infected by coin-mining malware.

The hackers evaluated Amazon 3S URLs, and possibly have picked it because Amazon 3S URLs is capable to deliver payload easily and also it is a trusted source which makes it easier to attract victims.

Netskope provides the information that Amazon was contacted due to the S3 URLs hosting the Zminer malware payloads, but they still did not receive a response.

Cryptocurrency mining is still a very profitable activity for cybercriminals. A global market cap of these virtual currencies reaches $153 billion and it’s constantly increasing.

Mining is a common and popular activity that can generate real money and basically anyone with access to the Internet and quality hardware can participate in cryptocurrency mining.  

When it comes to a growing trend of rapidly increasing crypto-mining malware, the security specialist A. Vamshi notes that

“we can only speculate that there are enough threat actors with a primary focus of generating money treading along this new path may be due to the fact that there is not a lot of money they are able to generate via ransomware.”

About the author

Julie Splinters
Julie Splinters - VPN service analyst

Julie Splinters is a VPN service analyst at, who specializes in VPN services and anti-spyware applications. Her major of English Philology and her passion for IT helped her choose the path of an IT writer.

Contact Julie Splinters
About the company Esolutions


now online
Like us on Facebook