Stopping a cryptojacker on network

stopping-a-cryptojacker-on-network

Have you considered !

We've noticed traffic in our Cisco Umbrella from various computers are constantly trying to connect to a cryptomining pool (uk[.]mypools[.]xyz). However, I cannot find any traces of a cryptominer on any PC in our network. If anyone has any additional suggestions, I'd be very appreciative. This is out of my realm of expertise and I've been trying to figure it out for days.

  1. The cryptominer appears to activate during the boot sequence. If we uninstall chrome , clear the Google file from Program Files, and then reinstall it, the cryptomining stops until next restart. Once the PC is restarted, the cryptomining immediatly starts up again.

  2. The most recently logged in user is the account showing in Cisco Umbrella as trying to reach the site. This is happening even when the user is not logged in and at all hours.

  3. The PCs showing activity in Cisco Umbrella have been scanned with Bitdefender, Cisco Amp, Microsoft Safety Scanner, Kaspersky Rescue Disk, and Trend Micro Anti-Threat Toolkit. They find nothing.

  4. The site is blocked at the firewall. The requests are internal and trying to reach the outside. They are being blocked, but this still causing excessive network activity.

  5. The requests seem to be happening every 30 minutes on the affected computers, so its almost like it's a scheduled task. There are no tasks in the task scheduler.

  6. Traffic does not occur when the devices are turned off. Therefore, I'm ruling out MAC spoofing.

  7. If Google chrome is uninstalled, the cryptomining stops. If reinstalled, cryptomining will start again even though PC is not in use.

  8. I cannot locate any xmrig.exe or similar processes running on any affected PCs.

Let's keep in mind that camDown is your security solution to protect you and your business from webcam hackers and that's a fact.