A new stealthy cryptomining malware dubbed “Coinminer.Win32.MALXMR.TIAOODAM” has just been discovered. This malware has been designed to evade detection and uses multiple obfuscation and packing techniques while operating.
Cryptomining malware variants have become all the rage among cybercriminals over the past few years. This is not only because the immense profits cryptominers yield but also because they are generally able to remain undetected on infected systems for a longer period of time than other conventional malware.
“The concept of a stealthy, difficult-to-detect malware operating behind the scenes has proven to be an irresistible proposition for many threat actors, and they’re evidently adding even more techniques,” Trend Micro researchers, who discovered the new cryptominer, wrote in a blog.
The malware is delivered onto victim machines as a Windows Installer MSI file. This is presumably done to trick victims into downloading the cryptominer, as Windows Installer is a legitimate software, commonly used by many to install software. This also helps the malware bypass several security filters.
The malware installation process uses Cyrillic text, which experts believe may hint at its geographical origin. The malware also comes with a self-destruction mechanism. It is also capable of deleting every file under its installation directory and removing all traces of installation in a targeted system.
“One notable aspect of the malware is that it uses the popular custom Windows Installer builder WiX as a packer, most likely as an additional anti-detection layer. This indicates that the threat actors behind it are exerting extra effort to ensure that their creation remains as stealthy as possible,” the researchers added. “The evolving aspect of cryptocurrency mining malware — constantly adding evasion techniques — means that powerful security tools are often needed to defend users from these kinds of threats.”