A nasty new cryptojacking malware named WinstarNssmMiner has been identified that has already been used in half a million attempted attacks targeting PCs in just three days. According to Qihoo 360 researchers, the malware attempts to infect PCs, hijack processing power and secretly mine the Monero cryptocurrency. To add insult to injury, the nasty malware also crashes machines the moment victims attempt to terminate and remove the programme.
Based on the open-source project XMRig, WinstarNssmMiner works by creating two svchost.exe system process - one that performs the mining tasks while the other runs in the background to scan for antivirus protection programmes and evade detection. The malware also injects malicious code into one of the svchost.exe processes and sets the attribute to to CriticalProcess. If a user tries to terminate the malware manually or via an antivirus program, the malware crashes the user’s PC.
“We’re quite surprised to see a CryptoMiner being so brutal to hijack victims’ computers by adopting techniques of stubborn malware,” Qihoo researchers noted in a blog post. They also added that if the malware detects “decent antivirus security software” by reputable companies such as Kaspersky or Avast, it automatically quits to avoid confrontation.
“Interestingly, this malware is acting snobbish when facing different antivirus software,” researchers said. “It turns off antivirus protection of defenseless foes and backs off when facing sharp swords. As a result, users without a decent antivirus product have to live with the slowness and the blue screens of their computers.”
The threat actors behind the malware have already mined 133 Monero coins ($28,000) according to current exchange rates.
This isn’t the first time the legitimate, open-source cryptocurrency mining XMRig has been exploited by malware developers and threat actors for nefarious purposes. XMRig mining code was also used other recent strains of crypto mining malware such as the Jenkins miner, and in malicious campaigns like RubyMiner and WaterMiner, according to an IBM X-Force Research report.
"The fact that this campaign has affected half a million PCs in only three days might be pointing to a popular attack vector like a heavily trafficked website, an infected ad, or a Wi-Fi spot," speculated Chris Olson, CEO of The Media Trust, in email to SC Magazine. He also added, “It's clear that crypto jacking malware authors are finding ever more potent methods of editing crypto mining code to stage their attacks."