Tiggre (often detected as Trojan.Tiggre or CoinMiner.Tiggre) is a malicious Trojan heavily associated with unauthorized cryptocurrency mining (cryptojacking). It covertly infiltrates Windows systems and aggressively hijacks the host's CPU and GPU resources to mine cryptocurrencies (typically Monero) for the financial benefit of the attackers. Tiggre is known for its aggressive persistence mechanisms and significant impact on system performance.
Infection Vector and Technical Capabilities
Tiggre is primarily distributed through untrustworthy file-sharing networks, often bundled with pirated software, cracked games, or illegal keygens. Users unwittingly install the miner when attempting to install the pirated application.
Once active, it focuses entirely on resource hijacking and stealth:
Resource Hijacking (Cryptojacking): Upon execution, Tiggre silently launches mining software (often a modified version of open-source miners like XMRig) in the background. It configures the miner to utilize a massive percentage of the system's processing power, connecting to attacker-controlled mining pools.
Aggressive Persistence: Tiggre ensures it runs continuously by copying itself to deep system directories (like `%AppData%` or `C:\ProgramData`) and creating hidden Scheduled Tasks or modifying registry `Run` keys.
Evasion (Task Manager Hiding): To prevent the user from noticing the massive CPU spike, some Tiggre variants monitor active processes. If the user opens the Windows Task Manager or Process Explorer, the malware will temporarily suspend the mining process, making the system appear normal until the monitoring tool is closed.
Threat Assessment
While Tiggre generally does not steal data or deploy ransomware, it severely degrades endpoint performance. The intense, continuous workload placed on the CPU/GPU causes excessive heat, significantly reduces hardware lifespan, and renders the machine practically unusable for legitimate business tasks, resulting in high IT support costs.
Incident Response and Remediation
Performance Monitoring: IT administrators should utilize centralized monitoring tools to identify workstations exhibiting consistent, inexplicable CPU usage near 100%, which is the primary indicator of a cryptomining infection.
Network Blocking (Mining Pools): Implement strict egress filtering on the corporate firewall to block traffic to known cryptocurrency mining pools (e.g., ports 3333, 4444, 5555 commonly used by Stratum protocols) and sinkhole mining domain names.
Targeted Malware Removal: Standard AV may struggle with the persistence mechanisms. Utilize EDR or a dedicated anti-malware scan to identify the hidden executables, terminate the mining process, and remove the associated Scheduled Tasks.
Known aliases
Threat reports may refer to this family under multiple names:
This family has been observed using the following ATT&CK techniques: T1496T1547.001T1562.001
Generated Detections (Boilerplate)
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.