An aggressive form of malware designed to extract cryptocurrency is blocking PCs when trying to remove it from the system. Dubbed "WinstarNssmMiner" by the team of 360 Total Security, malware essentially hijack the target PC by consuming a lot of processing power to extract digital coins and connect to critical system services of Windows to prevent removal.
"The distributor has made huge profits through the extraction of Monero on infected computers," the team said in a blog. "According to our statistics, 360 Total Security has intercepted its attack over 500,000 times in 3 days."
What is not clear is how the victims end up with this malware in the first place. Presumably, however, they are opening files in emails or through social media. Once it lands on a victim's PC, it searches for antivirus software and disables any solution not developed by Kaspersky, Avast and other high-level providers. If a high-profile antivirus solution is present, the malware does nothing while the anti-virus software scans the file, preventing detection.
Then, the malware creates two system processes called "svchost.exe", injects malicious code into these processes and sets their attributes to "CriticalProcess". A svchost process also begins the digital currency mine while the second svhost process takes a look at the installed antivirus software. If the antivirus wakes up, they stop in their tracks to avoid detection.
That said, antivirus software does not detect new malware. But the side effect of the digital mining currency is that the process consumes huge amounts of CPU, slowing the victims' PCs to an annoying scan. The owners of the devices that excavate in the Task Manager will try to manually close the Host of the offensive service only to get the dreaded Blue Screen of Death. Ouch.
The cryptocurrency miner is linked to four pools of mining activities, ie groups of miners who share their processing power and divide the stock of coins according to their contribution. It is based on an open source open source criptovalute project called XMRig to dig Monero coins. Given the heavy load that XMRig throws into the CPU, it is originally designed to run on dedicated PCs, not laptops and desktops used for everyday tasks.
This is not the first meeting with XMRig in the malware. The WaterMiner trojan appeared in a mod created by the user for Grand Theft Auto V towards the end of 2017 by an alleged Russian hacker. After installing the mod, a hidden downloader recovers the cryptocurrency miner and hides it as a legitimate application. It then proceeds to extract digital coins, slowing down the host PC. To avoid manual closing by the owner of the device, it stops once the victim opens Task Manager, disappearing from the Process List.
The distribution of cryptocurrant miners is a growing trend with hackers. Instead of divulging information on the black market for profit or hijacking the PC for redemption, many started generating digital coins on the target PC. Current methods include malware distribution, fake browser extensions, infected ads and special code embedded in malicious websites.
So far, hackers behind the new WinstarNssmMiner malware have generated only about $ 28,000 in Monero coins.