Representative image 
Key Highlights
- The ransomware Trojan-Ransom.Win32.Crusis started on the same machine, followed by the loader of the XMRig miner
- A closer inspection found that in August 2020 alone there were more than 5,000 attempts to install XMRig on users’ computers
Security researchers at Kaspersky have discovered a common Trojan (known by the company’s solutions as Trojan.Win32.Generic) which was making curious attempts to infect users’ machines and it was run to open remote desktop protocol (RDP) on the victims’ computers. The ransomware Trojan-Ransom.Win32.Crusis started on the same machine, followed by the loader of the XMRig miner, which then set about mining Monero cryptocurrency. As a result, the computer would already start earning money for the cybercriminals at the same time the user saw the ransom note, the security researchers noted.
A closer inspection found that in August 2020 alone there were more than 5,000 attempts to install XMRig on users’ computers, so researchers decided to investigate and examine how the miner was being distributed. As a result, experts have found two parties responsible for its distribution.
“While well-known groups make money from data theft and ransomware (for example, Maze, which is suspected of the recent attacks on SK Hynix and LG Electronics), many malicious users still want to have a high-profile impact through their cybercrime. These users are often beginners and tend to use publicly available ransomware, targeting ordinary users instead of the corporate sector. As a result, intriguing experiments can be found in the wild,” Anton Kuzmenko, Security Expert at Kaspersky, said in a statement.
The first Trojan turned out to be the Prometei malware family (which has been known since 2016, but spotted together with XMRig for the first time in February 2020), while the second was from a new family called Cliptomaner. The latter, detected in September 2020, is very similar to the others.
Like them, it not only mines cryptocurrency but can also substitute cryptowallet addresses in the clipboard.