Be alert! This new type of mining may be targeting your host

In addition to Monroe Coin, this virtual currency that does not consume CPU resources may become a new favorite of the black market, and it is important to anticipate it in advance so as not to make a mess.

Text|Aegis Traffic Security Analysis Team Pav1


In the first half of 2021, news of record-high prices for virtual cryptocurrencies (Cryptocurrency, hereafter referred to as “virtual currencies”) caught people’s attention time and time again, with Bitcoin being the most well-known virtual currency to the public. Tesla Inc. also announced in February that it had purchased $1.5 billion worth of bitcoin and planned to start accepting bitcoin as a payment method for its electric vehicle products [1].

The CEO of Tesla, Elon Musk, also publicly expressed strong support for dogcoin on foreign social media platforms [2], causing its price to surge as high as $0.73 per coin, a nearly 100-fold jump from the beginning of the year (as of June 29, 2021, dogcoin has fallen back to $0.26 per coin). The virtual currency frenzy has attracted a lot of attention from the black market, in addition to the influx of capital.

Tencent Security Platform Department’s Aegis Traffic Security Analysis System has monitored a significant increase in the number of malicious samples related to cryptocurrency mining in the first half of 2021, and as the variety of virtual currencies continues to increase and technology continues to develop, a new class of mining methods is gradually appearing on our horizon.


I believe that most security practitioners are familiar with Monero, in addition to Bitcoin. Monero (codename XMR) is an open-source cryptocurrency created in April 2014 that uses a different CryptoNote protocol than Bitcoin [3], making it more suitable for mining using CPUs.

This characteristic of Monero has led to its heavy use by hackers, and most of the mining scripts captured by the Aegis Traffic Security Analysis System are currently conducting Monero mining activities. Once a server malicious attacker is implanted with a Monero mining script, the most prominent manifestation is a significant increase in CPU usage.

Be alert! This new type of mining may be targeting your host

Figure 1 Monroe Coin Mining Pool page

In June 2021, the Aegis Traffic Security Analysis System began to monitor a class of mining scripts, and after the server was implanted with the script, the CPU did not show extremely high usage, but rather the hard disk was occupied with a huge amount of space.

Upon deeper understanding, it was discovered that a class of virtual currencies had emerged that used hard disk space and network bandwidth for mining. These virtual currencies were originally designed to achieve the goal of decentralized storage and communication, and some of the more representative coins are Filecoin, Chia, Swarm, and Dfinity.

We monitored Chia and Swarm-related mining scripts in June and the number of infected units increased from tens to hundreds in a matter of days, with Swarm accounting for the majority of them.

The main flow of a typical Swarm mining script is shown below.

Be alert! This new type of mining may be targeting your host

Figure 2 Swarm mining script flow chart

Be alert! This new type of mining may be targeting your host

Figure 3 Swarm mining script – main function

Swarm Introduction

Swarm project is one of the official projects of Ether, led by the Ether Foundation, and is a project that V-God (the founder of Ether) personally stood on.

It is not difficult to see that the prosperity of the Ethernet ecology has created the fire of Swarm project, and at the same time, Swarm project can also provide storage, bandwidth and other resources for the applications in the Ethernet network.

At present, the data of many projects on the Ethernet network are still stored in the servers of traditional centralized cloud service providers, and if these servers have problems, it means that users’ data and assets will also be lost. This is where the advantage of projects like Swarm comes into play, being able to solve such problems through decentralized storage.

Be alert! This new type of mining may be targeting your host

Figure 4 Swarm official website

By reading the white paper of the Swarm project [5], we can find that the nodes in the Swarm project together form a huge P2P network, in which each node is able to provide data storage and content distribution services.

In simple terms, if one wants to use Swarm to store data, one needs to use the token BZZ in the Swarm project, and this BZZ token is also the proceeds of Swarm mining.

If a node can provide more storage space and bandwidth, then it will also get more BZZ tokens, which is the mining revenue.

The design of Swarm is more like a decentralized CDN (Content Delivery Network) or web drive than existing products. In the past, we needed to go to various CDN or web drive providers to pay for their CDN or web drive services, but now we only need to pay BZZ tokens on Swarm to get the same services as CDN or web drive.

And our data is not uniquely stored on a particular service provider’s server, but is stored in multiple places in a decentralized manner, improving the security of the data and preventing it from being monitored.

Then it is good to understand the difference between mining Swarm token BZZ and mining Monroe coins. Mining Monroe coins requires a lot of CPU resources and thus will consume a lot of electricity, while mining BZZ does not require a lot of computing resources and only needs to occupy storage space and bandwidth to be able to gain revenue and consume very little electricity, which is a relatively environmentally friendly way of mining.

Be alert! This new type of mining may be targeting your host

Figure 5 Kademlia network connection between Swarm nodes

A node will be fully connected with at least eight immediate neighbors.

This results in a large and tightly connected mesh structure

Features and Detection

Although mining the Swarm token BZZ does not consume a lot of CPU resources, this does not mean that we cannot detect its presence.

In the process of mining Swarm tokens BZZ, the most important feature is the consumption of bandwidth and hard disk space. If you find that your hard disk space is suddenly taken up a lot and a program is taking up a lot of network bandwidth during your daily use of your computer, you can check to see if a Swarm mining Trojan has been implanted.

At the same time, Swarm mining will have the following specific features for network security practitioners to determine.

  1. traffic characteristics

When mining Monroe coins, the mining program needs to connect with the mining pool and synchronize the calculation results and blocks with the pool, which also includes the process of logging in, so the traffic characteristics of Monroe coin mining are obvious.

The official recommendation is to build your own XDAI blockchain node (hereinafter called exchange endpoint) to connect to the blockchain network, or you can use public services such as to connect to the blockchain network.

The communication traffic between the Swarm mining program and the XDAI blockchain nodes is as follows.

Be alert! This new type of mining may be targeting your host

Fig. 6 Communication traffic between the mining program and the swap break endpoint

As can be seen in the above figure, the jsonrpc protocol is also used when the mining program communicates with the exchange endpoint, which is the same as Monroe Coin mining, and the strong characteristics of the packets are obvious, which can be detected for the keywords in the packets or the structure in the packets.

  1. File features

The official mining software used by the Swarm project is Bee (, which is written in go and supports linux and windows systems, and supports various architectures such as ARM and X86.

By running the official program to build the mining node for the Swarm project, it can be found that running the program creates the following three directories under the data-dir directory specified in the configuration file.

Keys directory: This directory stores the keys generated during the initialization of the node, which is the most important data in the whole node.

Statestore directory: This directory holds information about the current node, such as block list, SWAP balance, etc.

Localstore directory: This directory is the block data of the current node.

  1. Port Features

Swarm project uses 1633, 1634 and 1635 ports for data exchange by default when running.

Port 1633: It is the default HTTP API port, which can be accessed by HTTP protocol to view node operation, upload and download files, etc.

Port 1634: is the default P2P port, which is required for P2P connection with external nodes.

Port 1635: is the default debug port, which must be opened by configuring debug-api-enable to True in the configuration file.

By checking the open and connected status of the above ports, we can also know whether the host is running the Swarm mining program Bee.

Summary and Outlook

In the first half of this year, the Swarm project launched a test campaign to enable mining without pledging, which attracted a large number of miners and saw the sale of Swarm nodes by cloud server providers.

On June 22, the Swarm project celebrated the launch of the 1.0 mainnet [6], which pushed the project’s popularity to a high point. with the Big V booth and the ecological support of Ether, the Swarm project has become the leading distributed storage blockchain project at present.

Since Swarm’s mining still has pledge, minimum disk space and high-speed bandwidth requirements, and the coin price is unstable even after the main network is just launched, it may draw a question mark on its popularity afterwards, but as long as profit exists, it may be exploited by illegal attackers such as blackmail, both individuals and companies need to take more precautions against this type of mining in the future to prevent it from happening.

About the Team

The Aegis Traffic Security Analysis Team is part of Tencent’s Security Platform Department and has built the company-level traffic security analysis system NIDS based on the department’s 15 years of security experience and the massive traffic of Tencent’s business. The team focuses on the construction and implementation of network traffic-based vulnerability detection, intrusion detection, malicious blocking and threat intelligence.








Posted by:CoinYuppie,Reprinted with attribution to:
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2021-07-02 04:10
Next 2021-07-02 05:03

Related articles