A new form of cryptominer has been discovered which crashes systems the moment antivirus products attempt to remove the malware.
The malware, dubbed WinstarNssmMiner by 360 Total Security researchers, has been used in half a million attempted attacks leveraged at PCs in only three days.
On Wednesday, the cybersecurity firm said the cryptomining malware aims to infect PCs in order to steal processing power for the purpose of mining the Monero cryptocurrency. The malware is based on XMRig, a legitimate open-source cryptocurrency mining project. This legitimate script, however, has been hijacked by malware developers for fraudulent cryptocurrency mining purposes.
WinstarNssmMiner is brutal code as it will crash victim PCs the moment antivirus products detect and attempt to remove it. The cryptominer launches the svchost.exe process — used to manage system services — and injects malicious code into the file. One injected process begins mining cryptocurrency while the other runs in the background to avoid detection and scan for antivirus protection.
In the second stage, WinstarNssmMiner then tampers with CriticalProcess, adding a process attribute which allows the malware to crash the system at whim. However, as 360 Total Security writes, WinstarNssmMiner “turns off antivirus protection of defenseless foes and backs off when facing sharp swords.”
The malware scans compromised systems for antivirus products. Any “decent” solutions offered by reputable companies — such as Kaspersky Lab and Avast — and will quit automatically if these types of antivirus products are discovered.
However, if weaker antivirus systems are in use, the crash process starts up and victims have to live with crippling slowness and blue screens while the malware cheerfully steals their power and mines Monero on the attacker’s behalf.