WinstarNssmMiner Crashes the System When You Try to Remove It

Delaware, USA – May 18, 2018 – This week, researchers from 360 Total Security discovered the campaign distributing new cryptocurrency mining malware. WinstarNssmMiner attacked more than 500,000 systems in three days. After getting into a system, malware scans it for specific antivirus tools installed, if any of them is detected, it quits automatically. If no such antiviruses are found, WinstarNssmMiner creates two svchost.exe system processes and injects XMRig miner into the first process and malicious code for detecting and deactivating antiviruses into the second. Malware adds a CriticalProcess attribute to svchost.exe with XMRig injected, so when the user or antivirus solution tries to terminate the process or remove malware, system crashes and requires a reboot. Because of this, it is quite problematic to get rid of the virus after infection. For the first days, attackers received over $26.000 in revenue, so they are unlikely to stop the distribution of the miner.

In 2018, the number of coinminer attacks on organizations is increased significantly. The report from RedLock shows that the number of such attacks on organizations’ cloud infrastructure is tripled in the first quarter of 2018. Also, this May, adversaries exploited fresh vulnerabilities to conduct several campaigns infecting web servers. To secure your organization against coinminer attacks, it is necessary to timely install updates and to investigate suspicious security events. In addition, you can monitor the security of your publicly accessible web applications using ArcSight and Web Application Security Framework.