McAfee Labs Discovers New Cryptojacking Malware ‘WebCobra’

McAfee Labs researchers have discovered a new cryptojacking malware which stealthily extracts victims’ computing power to mine the cryptocurrencies Monero (XMR) or Zcash secretly.

Originating in Russia and dubbed ‘WebCobra,’ this cryptocurrency mining malware drops and installs the Cryptonight miner or Claymore’s Zcash miner, depending on the configuration the malware finds. It is comparatively uncommon in that it drops a different miner depending on the configuration of the machine it infects.

In its blog post, McAfee stated, “On x86 systems, it injects Cryptonight miner code into a running process and launches a process monitor. On x64 systems, it checks the GPU configuration and downloads and executes Claymore’s Zcash miner from a remote server.”

Elaborating on technicalities of the WebCobra malware, McAfee said, “Most security products hook some APIs to monitor the behavior of malware. To avoid being found by this technique, WebCobra loads ntdll.dll and user32.dll as data files in memory and overwrites the first 8 bytes of those functions, which unhooks the APIs.”

While infecting an x86 system, the malware injects malicious code to svchost.exe and uses an infinite loop to check all open windows and to compare each window’s title bar text with these strings (adw, emsi, avz, farbar, glax, delfix, rogue, exe, asw_av_popup_wndclass, snxhk_border_mywnd, AvastCefWindow, AlertWindow, UnHackMe, eset, hacker, AnVir, Rogue, uVS, malware). The open windows will be terminated if any of these strings shows in the windows title bar text. This is another check by WebCobra to determine if it is running in an isolated environment designed for malware analysis.

Once the process monitor executes, it creates an instance of svchost.exe with the miner’s configuration file specified as an argument and injects the Cryptonight miner code. Finally, the malware resumes the process with the Cryptonight miner running silently and consuming almost all the CPU’s resources.

The blog post also details the process of how WebCobra attacks an x64 system.

Some of the attack techniques as listed in the post are exfiltration over command and control channel, command-line interface, hooking, data from local system, file and directory discovery, query registry, system information discovery, process discovery, system time discovery, process injection, data encrypted, data obfuscation, multilayer encryption, and file deletion.

The ‘indicators of compromise’ as exposed by McAfee are:

IP addresses: 149.249.13:2224, 149.254.170:2223, 31.92.212

Domains:, ru,

McAfee Labs researchers believe that this threat arrives via rogue PUP installers. After monitoring its effect across the globe, McAfee Labs discovered the highest number of infections in Brazil, South Africa, and the United States.

Coin mining malware is hard to identify. Once a machine is attacked, a malicious app runs silently in the background with just one sign: performance degradation. The malware increases power consumption, and eventually, the machine slows down, resulting in a massive bill as the energy it takes to mine a single bitcoin can cost from $531 to $26,170, as per a recent report.

Coin mining malware will seemingly grow as cybercriminals consider it relatively easier to implement. Mining coins on other people’s systems require less investment and risk as compared to ransomware. Also, it does not depend on a percentage of victims agreeing to send money.

Back in April, McAfee Labs had reported a significant increase in a malware variant, known as CoinMiner or CoinMiner-FOZU!. The malware takes control of a victim’s computer to mine new coins by infecting user executables, injecting Coinhive JavaScript into HTML files, and blocking the domains of security products to stop signature updates. The malware’s distinctive characteristic is that it does not put a unique marker on each file it infects. Therefore, subsequent infections by the same malware would re-infect the victim’s files.

Related Cryptocurrency News