{"id":23173,"date":"2024-06-29T20:42:56","date_gmt":"2024-06-29T20:42:56","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=23173"},"modified":"2024-06-29T21:02:59","modified_gmt":"2024-06-29T21:02:59","slug":"bloom-exe","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/bloom-exe\/","title":{"rendered":"Bloom.exe"},"content":{"rendered":"

Bloom.exe is a malicious miner<\/strong> that masquerades as a legitimate process. Its job is to use the victim’s device to mine cryptocurrency for con actors. The most visible sign of its presence, aside from the process in the Task Manager, is an enormously high CPU load that comes from it. This effectively renders your system unusable, causing stutters and even crashes.<\/p>\n

Bloom.exe Miner Overview<\/h2>\n

Bloom.exe is a process created by coin miner malware<\/a>. This class of malware exploits the hardware of the victim’s system to mine cryptocurrency. The name “Bloom.exe” serves only to make the malware look as legitimate process and confuse the user. Like malicious miners of this kind, it mines Monero or DarkCoin, with all profits going to the attacker.<\/p>\n

\"Bloom.exe
Bloom.exe in the Task Manager<\/figcaption><\/figure>\n

The Bloom.exe miner monitors system usage and adjusts its resource consumption accordingly. This makes its less noticeable, as it does not consume all available resources as other miners do. Additionally, Bloom.exe is able to use GPU resources, improving the effectiveness of the mining process, and making it harder to detect the malware activity (if you’re not gaming or don’t pay attention to fan noise levels).<\/p>\n

Spreading Methods<\/h3>\n

As for distribution, Bloom.exe is similar to the other miners. It is mainly distributed under the guise of legitimate software. The second, but almost as popular method is drive-by downloads and illegal software, such as pirated games or cracked programs<\/a>.<\/p>\n

A less effective but no less popular method of distribution is malvertising<\/a>. Con actors can hijack search results for some popular software, to let the users to their sites instead of genuine ones. And instead of getting the installer of a program, users download and run malware, with Bloom.exe miner being among them.<\/p>\n

Technical Analysis<\/h2>\n

Let’s take a closer look at how this miner behaves. In fact, the majority of miner malware behaves rather similar, regardless of whether they are stand-alone or are based on XMRig<\/a> or another well-known open-source project.<\/p>\n

Traditionally, malware begins its life cycle by checking for a virtual environment, sandbox, or debugging tools. To do this, our sample checks the following registry keys:<\/p>\n

HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion
\nHKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers
\nHKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls<\/code><\/p>\n

These keys contain some system settings and Windows security policies. Besides doing these checks, this malware often has its code packed, encrypted and obfuscated. These “passive” protection measures make Bloom.exe a tough nut for basic antiviruses.<\/p>\n

C2 Communication<\/h3>\n

The malware uses several addresses for communications, including TCP 204.79.197.203:443<\/a><\/strong>, which belongs to Microsoft. This is possibly because frauds use some of the cloud services MS offers to anyone. Despite they are easy to take down, it is also easy to create new ones. There are also several addresses that could potentially belong to the command server<\/a>:<\/p>\n

https:\/\/pdfcrowd.com\/?ref=pdf
\nhttps:\/\/pdfcrowd.com\/doc\/api\/?ref=pdf
\nhttps:\/\/gettodaveriviedt0.com\/secur3-appleld-verlfy1\/?16shop<\/code><\/p>\n

Payload<\/h3>\n

After all the checks and communications, the malware drops a payload on the system. It also loads a large number of files into the %windir%\\System32\\<\/strong> folder, among which are:<\/p>\n

C:\\Windows\\System32\\OHcvDRK.exe
\nC:\\Windows\\System32\\ROKnunx.exe
\nC:\\Windows\\System32\\TAtNGGl.exe
\nC:\\Windows\\System32\\WQDfJPu.exe<\/code><\/p>\n

These are only a small part of what malware brings to the system; the more time malware is active – the more of these fileswill appear. Inside of these files are either modules that allow for certain functionality, or mining configurations.<\/p>\n

How to Remove Bloom.exe?<\/h2>\n

To effectively remove Bloom.exe, I recommend using GridinSoft Anti-Malware, as it will easily detect and stop any malicious program, including this miner. Contrary to manual removal, this program will find every single element of the malware, ensuring that it won’t come back.<\/p>\n\"GridinSoft\n

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.<\/p>\n

Download Anti-Malware<\/a><\/div>\n

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click \"Advanced mode\" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.<\/p>\n\"Scan\n

Click \"Clean Now\" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.<\/p>\n\"Removal\n","protected":false},"excerpt":{"rendered":"

Bloom.exe is a malicious miner that masquerades as a legitimate process. Its job is to use the victim’s device to mine cryptocurrency for con actors. The most visible sign of its presence, aside from the process in the Task Manager, is an enormously high CPU load that comes from it. This effectively renders your system […]<\/p>\n","protected":false},"author":7,"featured_media":23193,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","footnotes":""},"categories":[17,4],"tags":[23,28,37],"class_list":{"0":"post-23173","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-labs","8":"category-tips-tricks","9":"tag-coin-miner","10":"tag-malware","11":"tag-slow-pc"},"featured_image_src":"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/bloom.webp","author_info":{"display_name":"Stephanie Adlam","author_link":"https:\/\/gridinsoft.com\/blogs\/author\/adlam\/"},"_links":{"self":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/23173","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/comments?post=23173"}],"version-history":[{"count":19,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/23173\/revisions"}],"predecessor-version":[{"id":23197,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/23173\/revisions\/23197"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media\/23193"}],"wp:attachment":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media?parent=23173"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/categories?post=23173"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/tags?post=23173"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}