Pieces of malware that usurp your computer’s CPU to mine cryptocurrency while you are browsing online or watching YouTube videos are a pretty well-established annoyance at this point in crypto history – so much so that the practice has earned its own name, ‘cryptojacking.’ Usually, these pieces of malware (which are usually used to mine Monero) can be shut down by doing something as simple as closing one’s browser.
However, a newer, more aggressive piece of crypto-mining malware has been discovered–one that will crash your computer as soon as it detects antiviral efforts to remove it.
#Cryptojacking has impacted 1 in 4 organizations according to research performed by our FortiGuard Labs team. Our Anthony Giandomenico gives some insight into the recent Threat Landscape Report: pic.twitter.com/k9YhbU1Kqc
— Fortinet (@Fortinet) May 17, 2018
Researchers at 360 Total Security have reported that the malware, named ‘WinstarNssmMiner,’ has attempted to spread across roughly 500,000 PCs in just three days through email and compromised websites.
Once downloaded, the malware launches ‘svchost.exe’, a script that is used to manage basic functions in a PC’s operating system. The malware then injects the script with malicious code, allowing other applications in the background to run normally to avoid detection.
The Malware Alters ‘CriticalProcess’
Once WinstarNssmMiner has managed to complete this part of its operation successfully, it then alters a PC’s ‘CriticalProcess’ function so that the malware has the power to crash the system whenever it wishes.
In some respects, WinstarNssmMiner’s bark is much louder than its bite. Before installing itself, the malware will scan its host PC for antivirus software. According to ZDNet, if it detects software by Avast or Kaspersky or another reputable company, WinstarNssmMiner won’t even bother installing itself in the first place.
However, if a computer is guarded with second-rate antivirus software (or no antivirus software at all), the malware will gleefully take advantage of every bit of CPU that it can. This is where the crashing capabilities come into play: “some savvy users can identify and terminate the CPU consuming applications. Hence, WinstarNssmMiner protects itself by configuring its mining processes’ attribute to CriticalProcess so infected computers crash when users terminate it.”
Here’s how to use @publicww to find websites running #cryptojacking malware such as:#Coinhive
— Bad Packets Report (@bad_packets) February 8, 2018
On Thursday, May 17, ZDNet reported that WinstarNssmMiner had already mined 133 Monero tokens, the equivalent of about $26,500. Four mining pools have reportedly been linked to the malware, although details are unclear.