Hackers behind cryptominer attacks are growing more aggressive and ruthless. Case and point, a cryptominer malware sample dubbed WinstarNssmMiner has been tracked in 500,000 attacks in the past three days, earning the crooks $28,000, according to researchers.
What makes the cryptominer so vicious is the fact that, post infection, if a victim’s AV software identifies WinstarNssmMiner and tries to remove it (or a user tries to disable it) the malware crashes the host system. WinstarNssmMiner targets Windows systems and leeches on to a system’s processor power with a trojanized version of the XMRig mining program.
MassMiner Takes a Kitchen-Sink Approach to Cryptomining
PyRoMine Uses NSA Exploit for Monero Mining and Backdoors
Muhstik Botnet Exploits Highly Critical Drupal Bug
“This malware is very hard to remove since victims’ computers crash as soon as [it’s] found,” according to 360 Security researchers who published a report on the malware Wednesday. “We’re quite surprised to see a cryptominer being so brutal to hijack victims’ computers by adopting techniques of stubborn malware,” researchers wrote.
An analysis of the cryptominer campaign reveals WinstarNssmMiner has already earned cybercriminals 133 Monero, or $28,000 based on current rates. Researchers did not specify how long it took criminals to earn that money.
Those totals are a drop in the bucket for crypto-jacking campaigns. Malicious cryptomining that targets computers, servers or cloud-based systems have seen enormous growth over the last six months earning crooks millions in cryptocurrency. In February, hackers are estimated to have earned $3 million by exploiting a vulnerability (CVE-2017-1000353) on servers running Jenkins software and installing Monero miners, researchers at Check Point reported.
It’s unclear what the WinstarNssmMiner infection path is, but once the malware executes on a targeted system it launches a system process called svchost.exe, a process that manages system services. Next, it injects malicious code into svchost.exe.
“There are actually two svchost.exe processes created. One performs the mining tasks. The other runs in the background for sensing the antivirus protection and avoiding detection,” researchers said.
The svchost.exe process created for cryptomining has a process attribute of CriticalProcess, which means terminating the process crashes the system. A second svchost.exe process runs in the background and attempts to detect “decent” antivirus software that developers know can identify the malware. “[The] malware will quit automatically to avoid direct confrontation,” researchers said.
The miner itself is based on the open source project, XMRig. XMRig is a legitimate cryptocurrency mining program known as a high performance Monero CPU miner. The miner is better known for its trojanized versions that have been adopted for criminal use. It has been used in several recent malicious cryptocurrency campaigns and one in January where it was installed via malware on 15 to 30 million endpoints, according to a report by Palo Alto Networks.
XMRig code was also used in recent attacks, such as the Jenkins miner, and also with malicious campaigns dubbed RubyMiner and WaterMiner, according to an IBM X-Force Research report.