An aggressive form of malware designed to mine cryptocurrency is now crashing PCs when you try to remove it from the system. Dubbed “WinstarNssmMiner” by the 360 Total Security team, the malware essentially hijacks the target PC by consuming loads of processing power to mine the digital coins and attaching itself to the critical system services in Windows to prevent removal.
“The distributor has made tremendous profit via mining Monero on infected computers,” the team said in a blog. “According to our statistics, 360 Total Security has intercepted its attack over 500,000 times in 3 days.”
What’s not clear is how victims end up with this malware in the first place. Presumably, though, they are opening files in emails or through social media. Once it lands on a victim’s PC, it scans for antivirus software and will disable any solution not developed by Kaspersky, Avast, and other high-tier providers. If a high-profile antivirus solution is present, the malware doesn’t do anything while the antivirus software scans the file, avoiding detection.
After that, the malware creates two system processes called “svchost.exe,” injects malicious code into these processes, and sets their attributes to “CriticalProcess.” One svchost process then begins too mine digital currency while the second svhost process keeps an eye on the installed antivirus software. If the antivirus wakes up, they stop in their tracks to avoid detection.
That said, antivirus software doesn’t detect the new malware. But the side effect of mining digital currency is that the process eats tremendous loads of CPU horsepower, slowing down victim PCs to an annoying crawl. Device owners digging into the Task Manager will attempt to manually close the offending Service Host only to get the dreaded Blue Screen of Death. Ouch.
The cryptocurrency miner is connected to four mining pools, which are groups of miners who share their processing power and split the coin stash based on their contribution. It relies on an open-source cryptocurrency mining project called XMRig for digging up Monero coins. Given the heavy load XMRig throws onto the CPU, it’s originally designed to run on dedicated PCs, not laptops and desktops used for everyday tasks.
This isn’t the first encounter with XMRig in malware. The WaterMiner trojan appeared in a user-made mod for Grand Theft Auto V in late 2017 by an alleged Russian hacker. After installing the mod, a hidden downloader retrieves the cryptocurrency miner and hides it as a legitimate application. It then proceeds to mine digital coins, slowing down the host PC. To avoid manual termination by the device owner, it halts once the victim opens Task Manager, disappearing from the Processes list.
The distribution of cryptocurrency miners is a growing trend with hackers. Instead of leaking information on the black market for profit or hijacking PCs for ransom, many have taken to generating digital coins on target PCs. Current methods include malware distribution, fake browser extensions, infected advertisements, and special code embedded in malicious websites.
So far the hackers behind the new WinstarNssmMiner malware have only generated around $28,000 in Monero coins.