Xbooster is a cryptocurrency-mining malware campaign discovered by Netskope that uses the popular XMRig Monero Miner to carry out its mining process. The malware spreads via drive-by download, in which a password protected zip file containing two executable files xmrig.exe and manager.exe is downloaded. Once unzipped, the xmrig.exe file begins uses the infected systems resources in order to begin the mining process. While the mining process is running, Manager.exe connects to a C2 server within AWS and downloads the DBupdater.exe file used for the exfiltration of the infected system's details.

Reporting and Technical Details

  • May 2018: Xbooster Parasitic Monero Mining Campaign. (Netskope)