Malware News WinstarNssmMiner Coinminer Campaign Makes 500,000 Victims in Three Days (shuts down AV products)

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Content source
https://www.bleepingcomputer.com/news/security/winstarnssmminer-coinminer-campaign-makes-500-000-victims-in-three-days/
Security researchers from Qihoo 360 Total Security have detected a massive malware campaign spreading a new coinminer, and which appears to have made roughly 500,000 victims in three days alone.

At the heart of this campaign is a new malware strain named WinstarNssmMiner, targeting Windows computers.

Under the hood, WinstarNssmMiner is your typical cryptocurrency-mining malware these days, based on the open-source and legitimate Monero mining utility named XMRig.

WinstarNssmMiner shuts down AV products

Qihoo 360 researchers did not say how WinstarNssmMiner spreads, but they said this coinminer is unique to other cryptocurrency-mining threats active on the market today.

The typical WinstarNssmMiner modus operandi, according to researchers, is the following:

...
.....
.......
Click to expand...
 
  • Like
Reactions: Daviworld, frogboy, upnorth and 4 others
Atlas147

Atlas147

Level 30
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 28, 2014
1,990
interesting report, article goes on to describe the infection " Scan for Avast and Kaspersky antivirus process. If user is using one of the two, abandon infection "

Wonder what Avast and Kaspersky are doing right for the malware authors to be so vigilant with these 2 AVs and not the rest.
 
  • Like
Reactions: Daviworld, LASER_oneXM, Weebarra and 1 other person
yitworths

yitworths

Level 10
Verified
Well-known
May 31, 2015
472
Hanmin147 said:
interesting report, article goes on to describe the infection " Scan for Avast and Kaspersky antivirus process. If user is using one of the two, abandon infection "

Wonder what Avast and Kaspersky are doing right for the malware authors to be so vigilant with these 2 AVs and not the rest.
Click to expand...
the malware is actually taunting other AV products. & it's a shame for other av products if it lets a malware to run svchost.exe process, whatever it's modus operandi is. Or behaviour blocker of those av is just a facade.
 
  • Like
Reactions: Daviworld, harlan4096, frogboy and 2 others
upnorth

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
According to existing research on the malicious use of XMRig, black-hat developers have hardly applied any changes to the original code. Past modifications show some changes to hardcoded command-line arguments that contain the attacker’s wallet address and mining pool URL, plus changes to a few arguments that kill all previously running instances of XMRig to ensure no one else benefits from the same hardware. Changes of this scope could take mere minutes to perform.

The world of cryptojacking malware is undergoing rapid evolution, and although permutations of XMRig will likely continue to occur, there is also a threat that new codes will appear this year. Mitigating the risk from known threats should be an integral part of your cyber hygiene and security management practices. While malware hunting is often regarded as a whack-a-mole endeavor, preventing XMRig-based malcode is easier because of its prevalence in the wild.

Since XMRig is open source and keeps getting reused in attacks, security teams should look into controls that deliver blanket protection and eliminate different iterations of this code. For those running older servers and operating systems in which risk of infection is higher, security best practices call for minimizing exposure, implementing compensating controls and planning for a prompt upgrade to dampen risks.
Click to expand...
XMRig: Father Zeus of Cryptocurrency Mining Malware?

More information about another XMRig operation as it give clues on how it's delivered :

Large Scale Monero Cryptocurrency Mining Operation using XMRig
 
  • Like
Reactions: Daviworld, Weebarra, LASER_oneXM and 3 others
Atlas147

Atlas147

Level 30
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 28, 2014
1,990
yitworths said:
the malware is actually taunting other AV products. & it's a shame for other av products if it lets a malware to run svchost.exe process, whatever it's modus operandi is. Or behaviour blocker of those av is just a facade.
Click to expand...

Hopefully the others learn a little from this tiny piece of malware and up their game for their self protection modules on their AVs
 
  • Like
Reactions: Daviworld, harlan4096, yitworths and 2 others
You must log in or register to reply here.

Similar threads

silversurfer
    • Like
Android spyware apps target Israel in three-year-long campaign
Replies
0
Views
652
News Archive
silversurfer
silversurfer
silversurfer
    • Like
    • Wow
    • +Reputation
New Ttint IoT botnet caught exploiting two zero-days in Tenda routers
Replies
0
Views
1,069
News Archive
silversurfer
silversurfer
LASER_oneXM
    • Like
EternalBlue Exploit Serves Beapy Cryptojacking Campaign
Replies
0
Views
1,137
News Archive
LASER_oneXM
LASER_oneXM

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top