Computers users infected with the newly observed cryptojacking malware WinstarNssmMiner will be surprised to discover that the nasty malware crashes their machines if they try to terminate the program, making it difficult to remove.
In a May 16 blog post, researchers with Qihoo 360 report that the malicious cryptominer has already stolen enough processing power from victims’ machines to accumulate 133 Monero coins — worth about 26,500 as of May 18. It also seems to be attacking in large numbers, as Qihoo counts more than 500,000 attacks intercepted by its security solution in just three days.
Based off of the open-source XMRig miner, WinstarNssmMiner works by creating two svchost.exe system processes – one to conducting mining and the other for avoiding anti-virus detection. The cryptojacker subverts attempts to remove it by injecting malicious code into one of the svchost.exe processes, and then setting its attribute to CriticalProcess so that any attempt to terminate it results in a crash. “We’re quite surprised to see a cryptominer being so brutal…” the blog post stated in reaction to this technique.
“The WinstarNssmMiner malware is unusual because in general, most malware payloads want to run on your system for an extended period of time while remaining undetected. To crash the system as a last-ditch effort to avoid removal when an AV scan is detected is cowardly if there is such a thing in the cybercrime world. I sincerely hope we don’t start seeing this more often in malware, said Marc Laliberte, information security threat analyst at network security company WatchGuard Technologies, in emailed comments.
“I believe if we start seeing more copycat malware setting themselves as critical processes, Microsoft will be forced to change which processes are allowed to set that flag. It’s likely we will see something similar to privileged processes protection where only signed and verified applications or even just Windows processes can mark themselves as critical.”
That’s not the only way the malware acts cravenly: WinstarNssmMiner also checks for quality anti-virus solutions like those from Avast and Kaspersky, and quits if any of these are detected. Alternatively, the cryptojacker can “deceive” or turn off less effective anti-virus software, Qihoo reported, although details were vague on how this is accomplished.
“The fact that this campaign has affected half a million PCs in only three days might be pointing to a popular attack vector like a heavily trafficked website, an infected ad, or a Wi-Fi spot,” speculated Chris Olson, CEO of The Media Trust, in emailed comments. “It’s also possible that this malware was spread using an exploit that targets Windows machines.
Regardless of the attack vector, Olson said, “It’s clear that cryptojacking malware authors are finding ever more potent methods of editing cryptomining code to stage their attacks.”