WinstarNssmMiner is new cryptomining malware that turns nasty the second your anti-virus attempts removal. Cryptomining malware isn’t anything new. It targets computers and uses their CPU and GPU power to mine for cryptocurrency. Usually, the user can easily remove the infection with an anti-virus or anti-malware program. But WinstarNssmMiner is different. When the system attempts removal, WinstarNssmMiner maliciously crashes the system.
According to 360 Total Security researchers, this malware has been used in half a million attempted attacks in just three days.
The cryptominer launches the svchost.exe process — used to manage system services — and injects malicious code into the file. One injected process begins mining cryptocurrency while the other runs in the background to avoid detection and scan for antivirus protection.
In the second stage, WinstarNssmMiner then tampers with CriticalProcess, adding a process attribute which allows the malware to crash the system at whim.
However, the malware is a coward at heart. As 360 Total Security writes, WinstarNssmMiner “turns off antivirus protection of defenseless foes and backs off when facing sharp swords.”
“Due to the nature of digital currency mining, cryptominers use up victims’ processing power for the sake of their distributors,” the researchers note. “Some savvy users are able to identify and terminate the CPU consuming applications. Hence, WinstarNssmMiner protects itself by configuring its mining processes’ attribute to CriticalProcess so infected computers crash when users terminate it.”
There is good news though. Apparently, the malware doesn’t put up a fight against better-known anti-virus programs. Rather it chooses to crash systems with weak protection or no protection at all. According to ZDNet, “the threat actors behind the spread of WinstarNssmMiner have mined 133 Monero, which is equivalent to roughly $26,500.”
Last Updated on May 17, 2018.