Cryptojacking has become such a ubiquitous event that it’s become a normal annoyance at this point. Usually, malware like this are easily stopped by just closing your browser.
However, a new and very aggressive form of the malware has been discovered. One that will try to crash your computer once it detects efforts to remove it.
Security researchers at 360 Total Security have reported that the malware, dubbed ‘WinstarNssmMiner,’ has attempted to infect about 500,000 PCs in just three days through email and compromised websites.
Once on the PC, the malware launches a script labeled “svchost.exe”, that is used to manage basic functions in a PC’s operating system. The malware then injects malicious code in the script, allowing other applications in the background to run normally to avoid detection.
Once this is done, WinstarNssmMiner then alters a PC’s “Critical Process” function so that the malware can crash the system if it wants to. Before it installs, the malware checks around if the PC has any antivirus software installed. According to ZDNet, if it detects software from Avast, Kaspersky or other reputable antivirus software, WinstarNssmMiner won’t even bother installing itself in the first place.
Now if the PC doesn’t have antivirus software or has second-rate software, the malware will take advantage of every CPU that it can. This is where the crashing capabilities become critical: some computer savvy users can identify, and terminate the CPU consuming applications. WinstarNssmMiner puts the kibosh on that by configuring its mining processes’ attribute to CriticalProcess so infected computers crash when users terminate it.
As of Thursday, May 17th, ZDNet reported that WinstarNssmMiner had already mined 133 Monero tokens, the equivalent of about $26,500. Four mining pools have reportedly been linked to the malware, although details are still unclear.