Following the use of the NSA developed EternalBlue exploit in the now infamous ransomware WannaCry, a new malware known as WannaMine has surfaced.

WannaMine follows in the footsteps of WannaCry, using the NSA developed EternalBlue exploit to propagate. After infection, the similarities between WannaCry and WannaMine end. Where WannaCry would proceed to encrypt all available files and notify the user of its existence, WannaMine silently installs and runs mining software for the cryptocurrency Monero.

Use of Monero

This is the next in a line of cryptojacking attacks involving mining software that specifically mines Monero. The reasoning behind the perpetrator’s use of Monero is unknown, though it may have something to do with Monero’s minability on mid to low-end computers, and the privacy that exists on Monero’s blockchain.


After infection and initial setup, WannaMine uses Windows management tools for its persistence. Once infected, it can be difficult to find the malicious settings within the large number of legitimate ones.

One of the simplest methods of detection is to monitor your computers CPU usage.  Abnormally high CPU usage can be caused by cryptojacking. You can view your CPU usage using Windows Task Manager. Otherwise, high CPU usage will make your computer hotter, which may make its fans run louder.


WannaMine uses EternalBlue for its propagation, and as Microsoft patched the vulnerability in 2017, so long as all computers on your network are up-to-date you should be secure from WannaMine. Otherwise, standard security advice such as not following unknown links applies.


crypto hope page

In late April 2018, UNICEF Australia’s home site began to invite visitors to a page called The Hopepage, where funds are raised for UNICEF through cryptocurrency mining. By opening the website and clicking, “Start Donating,” a visitor agrees to run a miner in their web browser and use their computer’s central processing unit or CPU to solve crypto-puzzles and earn digital currency for the international charity. The digital money mined is XMR of the Monero blockchain. It is converted into fiat and used to fund UNICEF’s humanitarian work with and for children, and specifically, refugees. The site text reads:

Give hope, just by being here … The cryptocurrency is automatically donated to UNICEF Australia and is turned into real funds that reach children through life-saving supplies like safe water, therapeutic food and vaccines … Mining is perfectly safe for your computer.

Crypto Mining to Help Young Refugees

Donors can choose how much of their processing power to commit to this process while leaving the browser window open – 60 percent is the default setting and the full range is 20 to 80 percent. While there is no further cost associated with participation, this use of significant computer power and energy does constitute a real donation.

UNICEF is using a JavaScript miner for XMR developed by Coinhive. Companies sometimes include this mining option in their browsers and offer users benefits like in-game currencies or ad-free media experiences in return. In this case, the funds raised will be used to support Rohingya youth. The Rohingya is an ethnic group, which is denied citizenship in Myanmar and has experienced decades of prosecution there. After surges of violence in 2017, many have fled to Bangladesh and there are about 400,000 children among the Rohingya refugees.

UNICEF, Blockchain and Charity Mining

UNICEF also turned to crypto-mining as a fundraising tool in February 2018. It asked gamers to install the mining software Claymore in order to send Ethereum to its electronic wallet. The charity’s other blockchain-related initiatives include funding blockchain projects like South Africa-based 9Needs, which uses distributed ledger technology to create digital identities for use in early childhood education programs. It also co-ran blockchain labs with U.N. Women and it led a blockchain hackathon in Kazakhstan. Similarly, the U.N. has used blockchain to launch an ID-project for refugees around the globe.

Other mining-for-charity projects exist in the cryptosphere. A group called Bail Bloc uses mining to pay people’s bail who are awaiting trial, much like a community bail fund. Charity Mine pools and donates browser-mining earnings to its community’s current charity of choice. Cudo Donate from Cudo Ventures aims to provide user-friendly mining-donation options to multiple charities.

Feature image from

On April 6th, at 16:44:02 UTC (block 1546000), the privacy-oriented cryptocurrency Monero successfully performed its scheduled hard fork. Which, among other updates, hardened the cryptocurrency against ASIC miners.

As a result of the PoW change, various forks have appeared that intend to maintain the old blockchain, stating that the existence of ASICs for the cryptocurrency is good.

ASIC Resistance

The Monero community first began to suspect that an ASIC was in play in January, when the hashrate began to increase rapidly. Though at the time, the Monero community believed that developing an ASIC for CryptoNote would be prohibitively expensive.

Monero reported hash rate –

The suspicions were proved correct when Bitmain announced its AntMiner X3 ASIC in mid-march alongside other ASIC announcements. Though these announcements occurred not long after the Monero team announced that it would be changing the PoW algorithm to set back any ASIC miners.

Other features added

One of the notable changes made over the hard fork is support for the ledger nano hardware wallet. Otherwise, sub-addresses and multi-signature wallets were added to the reference wallet.

You can read the full changelog on the Monero team’s blog post.


While the full extent of the hashrate drop is still unknown, the difficulty algorithm has begun to lower the difficulty. At the time of writing, monerod reported a network hashrate of 645.63 MH/s and a difficulty of 77475745059. It is expected that the difficulty and therefore reported hashrate will have normalized around block 1546720.

Monero (XMR) is a privacy-oriented cryptocurrency that aims to keep all transactions on its blockchain private from others. It does this in two ways, stealth addresses, and ring-CT. Monero uses the CryptoNote algorithm, first used in the now infamous ByteCoin. CryptoNote is an ASIC resistant algorithm, intending to make mining long-term feasible on consumer computers, thus helping to decentralize the network. GPUs still have somewhat of an advantage, but the gap is nowhere near that in Scrypt (Litecoin) or SHA256 (Bitcoin) coins.


Any computer can mine Monero, though the newer the better. Older CPUs may not have the required AES instruction set. There are various options for mining software, including the infamous CoinHive javascript based miner. XMR-Stak is recommended by the community for simultaneous mining on a CPU and one or more GPUs. Please note that the mining software MinerGate is a scam, it lies about your current hash rate, thereby skimming your profits. You can find a list of other scams on the Monero subreddit

ASIC Resistance

Monero’s algorithm, CryptoNote, is ASIC (Application Specific Integrated Circut) resistant, this is due to its use of large amounts of processor cache. Cache is expensive to manufacture compared to other parts of an integrated circuit, making developing an ASIC to mine CrytoNote difficult. Monero also has a bi-annually scheduled hard fork that could be used to change the algorithm, thereby staying ahead of  ASIC designers.

Scheduled hard forks

The developers of Monero execute a bi-annual hard fork. Changes to the algorithm and other internal parts of the cryptocurrency require hard forks. The next hard fork is scheduled for sometime in March 2018, the exact date will be decided later in the year.

Privacy and security

Monero users have always-on privacy – Transactions that are not private cannot be sent over the blockchain. When sending a transaction on the Monero blockchain, a ring signature is created that hides the true transaction in a list of others. All of them using stealth addresses to hide the target of the transaction. The only available information on the blockchain is that a transaction happened. The sender can decrypt the transaction using the transaction key and the target address, either with the GUI wallet or an online tool such as xmrchain or other block explorers. Though this does require you sharing your private keys for that transaction with the block explorer service.

There are only two ways to view the balance of a Monero address; owning the address or getting a view key from the owner of the address. A view key allows anyone to view the content of a Monero address without being able to spend said contents.


Currently, the recommended desktop wallet is the official wallet, which supports both running a local node and connecting to a remote one. The MyMonero wallet is another, more convenient option, though you sacrifice some privacy for convenience, as your private keys are stored on MyMonero’s servers. This means that you must trust MyMonero with your money.

Messaging app Telegram has become the latest victim of cryptocurrency mining malware, as researchers at Kaspersky Lab have revealed a now-patched vulnerability that allowed hackers to exploit a flaw in the platform’s file transfer service.

Kaspersky said that the vulnerability, which was first exploited in March 2017 and discovered by researchers in October, was a “classic right-to-left override attack.”

Simply put, this attack exploited the portion of Telegram’s software that enabled the messenger to recognize Arabic and Hebrew, languages which are read right to left. The hackers were able to use this feature to reverse the order of characters in filenames, which allowed them to disguise suspicious file extensions as images or other seemingly non-threatening file types.

After users downloaded the files, embedded scripts would silently unleash a malware payload on the target operating system. One of the most prominent payloads was malware that harnessed the target computer’s processing power to mine cryptocurrencies for the attackers.

cryptocurrency mining malware
Source: Kaspersky

These miners were primarily developed for the Equihash and Cryptonight mining algorithms, which are employed by privacy-centric cryptocurrencies Zcash (ZEC) and Monero (XMR), respectively.

Although the vulnerability affected all Telegram users, Kaspersky said that it appears only Russian hackers exploited it, which is why the vast majority of victims were Russian residents.

These types of attacks have become quite common in recent months, particularly since the development of CoinHive, a mining script that can be implemented into the background of websites and used to harness the computing power of visitors.

As BlockExplorer reported, more than 4,200 websites hosted by government agencies in the US and UK have recently been compromised through the use of a tool called BrowseAloud and injected with CoinHive-based mining malware scripts.

Telegram denied that exploit was the result of a “real vulnerability,” arguing that users bore responsibility for choosing to download the files.

“This is not a real vulnerability on Telegram Desktop, no one can remotely take control of your computer or Telegram unless you open a (malicious) file,” Reuters cited the company as saying in a statement.

Nevertheless, the timing of the vulnerability’s disclosure is awkward for Telegram, as the company is reportedly preparing to launch a record-shattering initial coin offering (ICO) that could raise up to $2 billion.

Featured Image from MaxPixel