Hi.
During a deep scan Avast did find a malicious file in a cache folder of an MMO game I have installed called EVE Online.
I have uploaded to Virustotal and lot of well known AV engines detect it as trojan but when I have a look at the details and behaviours it seems to be making calls to Windows libraries. I am on a Mac and the game is running on macOS using WINE. So basically I am running the Windows version of the game on macOS.
I did some search and it seems to be common with EVE Online some AV engines detect it as malware.
So in case there are some experts here, could anyone please tell me:
- What exactly this file is trying to do that trigger the detection?
- Is this a real threat? if yes, could this be a threat on macOS or it is a threat to Windows users only?
Here is the link to virus total for more information:
https://www.virustotal.com/gui/file/a2931c1c11a1eafa36edc875baec73fb6248cd49db54f90679b953355e194390/detection
Thanks.
Seems that VT report is quite convincing with 27 vendors flagging that specific generic encrypted compiled executable.
See on behavior there: https://www.virustotal.com/gui/file/a2931c1c11a1eafa36edc875baec73fb6248cd49db54f90679b953355e194390/behavior
Conhost.exe is the Monero Mining virus.
Name conhost.exe Virus
Type CryptoCurrency Miner
Short Description Aims to infect your computer and use it’s CPU, GPU and other resources to turn it into a miner for cryptocurrencies.
Symptoms Hightened CPU and GPU usage and overheating. The victim PC may break if this virus mines for longer periods of time.
Distribution Method Spam Emails, Email Attachments, Executable files
polonus
Conhost.exe is the Monero Mining virus.
Thank you. Wondering how I got it. Avast Deep scan, did not discovered anything else and EVE Online is the only Windows application I have installed on my Mac. I don’t usually download/install from unknown sources. The only fishy application I have installed is FileZilla, it was told in the Windows installer they usually include bloatware and even crypto miners was not recommended to install, but in the Mac installer did not notice anything. Could this miner coming from FileZilla?
I keep the installer of everything I have installed, so in case anyone would like to have look this is it:
FileZilla
https://gofile.io/d/86KZmM
VT: https://www.virustotal.com/gui/file/97639aa32cf215ba8a06861a5b20e442b3989e2d2751220cbe824f75e56a2a94/detection
EVE Online:
https://gofile.io/d/JPn8wG
VT: https://www.virustotal.com/gui/file/517c9f830e9939e4c3c908b5bb820492f575e7c2ed388fcf303decce45ae1313/detection
I did not experienced high CPU and GPU usage, I don’t think it was able to run but wondering how I got a Windows miner on a Mac. I would think everything in the cache folder is downloaded from the EVE Online servers, maybe it is more likely their servers were infected at some point.