CryptoMiner Distributes XMRIG In New Attacks

Hackers behind cryptominer attacks are growing more and more ruthless.

A cryptominer malware sample named WinstarNssmMiner has been tracked in 500,000 attacks in the past three days alone, earning the criminals $27,000, according to researchers.

What makes the cryptominer so dangerous is the fact that post infection if a victim’s antivirus software identifies WinstarNssmMiner and tries to remove it (or a user tries to disable it) the malware crashes the system.

WinstarNssmMiner targets Windows systems and leeches on to a system’s processor power with a trojanized version of the XMRig mining program.Image result for xmrig

An analysis of the cryptominer campaign reveals WinstarNssmMiner has already earned cybercriminals 133 Monero, or $27,000 based on current rates.

Those totals are not much when compared to crypto-jacking campaigns. Nefarious cryptomining that targets computers, servers or cloud-based systems have seen enormous growth over the last six months earning millions in cryptocurrency. In February of this year hackers are estimated to have earned $3 million by exploiting a vulnerability (CVE-2017-1000353) on servers running Jenkins software and installing Monero miners, the researchers at Check Point reported.

It is unclear what the WinstarNssmMiner infection path is at this time however once the malware executes on a targeted system it launches a system process called svchost.exe, a process that manages system services. Next, it injects malicious code into the svchost.exe executable file.

“There are actually two svchost.exe processes created. One performs the mining tasks. The other runs in the background for sensing the antivirus protection and avoiding detection,” researchers commented.

The svchost.exe process created for cryptomining has a process attribute of CriticalProcess, that means terminating the process crashes the system. A second svchost.exe process runs in the background and attempts to detect “decent” antivirus software that devs know can identify the malware.

The miner itself is based on the open source project, XMRig. XMRig is a legit cryptocurrency mining program known as a high performance Monero CPU miner. The cryptominer is better known for its trojanized versions that have been adopted for criminal use. It has been used in several recent malicious cryptocurrency campaigns and one in January this year where it was installed via malware on fifteen to thirty million endpoints, according to a report by Palo Alto Networks.

XMRig code was also used in recent attacks, such as the Jenkins miner, and also with malicious campaigns called RubyMiner and WaterMiner, according to an IBM X-Force Research report.

Olé Crypto,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.