An aggressive WinstarNssmMiner crashes PCs upon removal

White hats call the alarm since cryptocurrency miners are getting more and more aggressive

Cryptocurrency miners^[1] hit the top charts of cyber threats 2018 since the beginning of the year. However, cybersecurity experts claim that the matters are getting worse with the emergence of miners like WinstarNssmMiner. This unprecedented Monero miner has been detected by 360 Total Security^[2] researchers in the middle of May 2018 and seems to be one of the most aggressive Monero miners this year.

According to the 360 Total Security, the so-called WinstarNssmMiner hijacks the targeted system by running malicious scripts on the svchost.exe and CriticalProcess processes. Fed with malicious commands, they start consuming an excessive amount of system's CPU resources, which is why the system gets sluggish and unresponsive.

This Monero miner connects to four mining pools where the gathered processing power is shared. The malware renders an XMRig^[3] open-source crypto-mining project to dig the currency. It triggers a heavy load of the device, which ends up with almost 100% CPU consumption.

500 thousands of devices already infected

AV vendors illustrated the activity of the WinstarNssmMiner malware by providing the basic stats of its activity. Within three days of a lifetime, it has already infected more than 500,000 devices and collected 133 Monero (approximately 28,000 USD).

The number of infections is suspected to be much higher in reality. That's because the 500,000 attacks have been registered by 360 Total Security software only without taking the stats of other AV engines. The number of PCs that are not running any anti-virus is not known as well.

WinstarNssmMiner causes forced shut-down upon removal

Although miners have become an ordinary practice these days, only a minority of PC users consider them to be a worrisome threat. However, these days practice proves the fact that cryptocurrency miners are gaining a new form and may start acting maliciously soon.

The WinstarNssmMiner is worth discussing due to a couple of atypical traits. First of all, the malware exhibits an advanced AV recognizing technique. Upon infiltration, it creates two identical svchost.exe^[4] processes. Both of them are equally malicious, except that their responsibilities are different. One process is continuously sucking up CPU resources and is responsible for the whole mining process. In the meanwhile, the other svchost.exe process runs in the background and scans the system for anti-virus. If it detects a powerful anti-virus^[5], be it Avast, McAfee, BitDefender, and similar, it initiates a self-destruct to evade confrontation.

Another characteristic unusual to Monero miner and cryptocurrency miners, in general, is the ability to cause system's crash. As soon as antivirus detects malicious svchost.exe files and terminates them, the malware crashes the system immediately. Luckily, it loads successfully upon the restart.

Do not ignore high CPU consumption

In case of a normal state, the PC should consume less than 30% of CPU resources. During gameplay or another process that is more complex, the resource consumption may increase but should get back to normal right after the difficult task is finished.

Thus, if the PC is continuously slow and unresponsive due to a high CPU at every turn, Monero miner or similar miner taking advantage of PC's processing power may be the culprit. The only way to check that is to perform a full system's scan with a professional anti-virus program.

It's essential to eliminate crypto-mining^[6] malware as soon as possible because the system may eventually overheat or become utterly unresponsive, which is why you may need to throw it away.

Miners can be distributed in many ways, including spam email attachments, individual file installers, and even legitimate apps. Currently, it's not clear how the WinstarNssmMiner is being disseminated, but experts speculate that it relies on infected documents attached to spam email messages.