Security researchers from Qihoo 360 Total Security have detected a massive malware campaign spreading a new coinminer, and which appears to have made roughly 500,000 victims in three days alone.
At the heart of this campaign is a new malware strain named WinstarNssmMiner, targeting Windows computers.
Under the hood, WinstarNssmMiner is your typical cryptocurrency-mining malware these days, based on the open-source and legitimate Monero mining utility named XMRig.
WinstarNssmMiner shuts down AV products
Qihoo 360 researchers did not say how WinstarNssmMiner spreads, but they said this coinminer is unique to other cryptocurrency-mining threats active on the market today.
The typical WinstarNssmMiner modus operandi, according to researchers, is the following:
⊚ Infect victim
⊚ Scan for Avast and Kaspersky antivirus process
⊚ If user is using one of the two, abandon infection
⊚ If not, launch two svchost.exe process
⊚ One process is for the hidden mining
⊚ The second process is to watch for other antivirus processes
⊚ This process can also shut down other AV process to avoid detection
WinstarNssmMiner crashes PCs when users try to uninstall it
But WinstarNssmMiner also has another surprise in store for infected victims. If a user ever detects the hidden mining operations and tries to shut down the svchost.exe process associated with XMRig, the malware crashes the user’s PC, which would then require a restart.
The crash occurs because the malware sets the property of the svchost.exe process to a setting of “CriticalProcess,” hence Windows shuts down the PC when the malicious process is terminated.
According to Qihoo 360 researchers, the group behind this operation has managed to make 133 Monero with WinstarNssmMiner, which is around $28,000.
Two other coinminer campaigns detected
But WinstarNssmMiner is not the only new coinminer campaign Qihoo 360 researchers spotted. They’ve also run across IdleBuddyMiner, a threat that’s completely opposite of WinstarNssmMiner.
Instead of sneakily mining Monero on infected hosts, IdleBuddyMiner asks nicely for permission via a popup.