Monero Miners Found in BlackBerry Mobile Site, North Korean University Server

Cryptomining continues to gain traction as security researchers discovered an installer for a Monero miner (detected by Trend Micro as TROJ_COINMINER.JA and TROJ_COINMINER.JB) intended to transmit the cryptocurrency to Kim Il Sung University (KSU), North Korea. Meanwhile, a Reddit user found a Monero miner in the BlackBerry mobile website, which is owned by TCL Communication Technology Holding.

Both the address of the Monero wallet and the password it uses were detailed in the analysis of AlienVault.  It also revealed as the server the miner contacts. The use of this domain points server's location at KSU.

When the installer for the Monero miner in KSU is run, it will copy a file named intelservice.exe to the system—a common task for cryptocurrency mining malware. Based on its code, it appears to be a piece of software called xmrig, a program associated with campaigns exploiting unpatched IIS servers to mine Monero. The security researchers noted that while the author/s of the software is found at KSU, they might not necessarily mean they are North Korean since KSU an open university, and have a number of foreign students and lecturers. In addition, the link to the university doesn’t work, which means the installer cannot send mined coins back to its author.

On the other hand, a Reddit user posted about the existence of CoinHive cryptocurrency miner code found in BlackBerry’s mobile website. The miner uses visitors’ CPU processing power to mine for the Monero currency when they visit The aforementioned global website is the only one affected by the miner.

CoinHive jumped in on the Reddit thread to apologize for the misuse of their service, and said that this specific user seems to have exploited a security issue in the Magento webshop software (and possibly others) and hacked a number of different sites. “We have terminated the account in question for violating our terms of service,” Coinhive added.

Last year, similar incidents involving uninvited Monero miners made the news. Just last month, Starbucks confirmed that the devices of their customers at their Buenos Aires stores were used to mine the Monero cryptocurrency without their knowledge. A copy of the Coinhive in-browser cryptocurrency miner was also found inside a JavaScript file used by LiveHelpNow, a live chat and support software platform that was being loaded on hundreds of websites. Another incident concerns The Pirate Bay, which was discovered using the computers of its visitors to generate coins for the Monero currency as a way to earn additional income.


Comprehensive security solutions can block URLS and scripts that are known to be malicious or exhibit malicious behavior. Trend Micro™ Smart Protection Suites and Worry-Free™ Business Security protect end users and businesses by detecting these threats and all related URLs. Trend Micro™ Smart Protection Suites deliver several capabilities like high fidelity machine learning, web reputation services, behavior monitoring and application control that minimize the impact of this threat.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.