A new form of cryptominer has been discovered which crashes systems the moment antivirus products attempt to remove the malware.
The malware, dubbed WinstarNssmMiner by 360 Total Security researchers, has been used in half a million attempted attacks leveraged at PCs in only three days.
On Wednesday, the cybersecurity firm said the cryptomining malware aims to infect PCs in order to steal processing power for the purpose of mining the Monero cryptocurrency.
WinstarNssmMiner is brutal code as it will crash victim PCs the moment antivirus products detect and attempt to remove it.
The cryptominer launches the svchost.exe process — used to manage system services — and injects malicious code into the file. One injected process begins mining cryptocurrency while the other runs in the background to avoid detection and scan for antivirus protection.
In the second stage, WinstarNssmMiner then tampers with CriticalProcess, adding a process attribute which allows the malware to crash the system at whim.
However, the malware is a coward at heart. As 360 Total Security writes, WinstarNssmMiner “turns off antivirus protection of defenseless foes and backs off when facing sharp swords.”
The malware scans compromised systems for antivirus products. Any “decent” solutions offered by reputable companies — such as Kaspersky Lab and Avast — and will quit automatically if these types of antivirus products are discovered.
However, if weaker antivirus systems are in use, the crash process starts up and victims have to live with crippling slowness and blue screens while the malware cheerfully steals their power and mines Monero on the attacker’s behalf.
“Due to the nature of digital currency mining, cryptominers use up victims’ processing power for the sake of their distributors,” the researchers note. “Some savvy users are able to identify and terminate the CPU consuming applications. Hence, WinstarNssmMiner protects itself by configuring its mining processes’ attribute to CriticalProcess so infected computers crash when users terminate it.”
Four mining pools have been linked to the malware at present. At the time of writing, the threat actors behind the spread of WinstarNssmMiner have mined 133 Monero, which is equivalent to roughly $26,500.
The malware is based on XMRig, a legitimate open-source cryptocurrency mining project. This legitimate script, however, has been hijacked by malware developers for fraudulent cryptocurrency mining purposes.
IBM, for example, has connected XMRig to cryptocurrency mining malware RubyMiner and Waterminer.
Earlier this week, researchers from RedLock warned that cryptojacking attacks are on the rise against enterprise players which utilize cloud environments.
Up to 25 percent of organizations are thought to have experienced cryptojacking activity within their cloud environments this year alone. Insecure databases and the failure to rotate access keys are often at fault.