A security researcher has found evidence of a cryptocurrency miner that will find and kill off other miners, security tools or CPU-cycle intensive processes. According to ICS Sans researcher Xavier Mertens, is one of many new cryptocurrency-mining malware that have appeared this year.
In a blog post, Mertens said the code is simple and downloads a crypto miner malware. Depending on the architecture, a 32bits or 64bits version of the miner is downloaded. They are not signed but pretend to be an HP driver.
He added that the miner configuration is hardcoded in the files and the account is still active today. It runs a script that checks if a miner is already running by testing the presence of an ‘AMDDriver64' process. He added that the most interesting part of the code is a script that lists all running processes and kills unwanted ones.
“The list ‘$malwares' contains well-known processes but the list “$malwares2” contains interesting processes used by other crypto-miners. This list could be used to build a list of IOC's,” said Mertens. “If you find one of these processes on a host, there are chances that it is being used to mine cryptocurrencies!”
Andy Norton, director of threat intelligence at Lastline, told SC Media UK that there has always been a lot of competition from malware authors. “SpyEye had a delete Zeus Feature, in the Battle of the Banking Trojans back in 2010. Recently we have seen ransom payments to bitcoin wallets being intercepted and diverted to a different wallet address,” he said. “The effects of this on the victim machine will depend on the throttling levels specified in the mining program. In all probably the user's device will simply divert its CPU resources to another wallet address. We may also see, instead of a new infection and a kill take place, malware authors look for existing infections and simply switch payment addresses.”
Ilia Kolochenko, CEO of High-Tech Bridge, told SC Media UK that here is nothing really new in these tactics. “In web application security, we have seen large-scale attacks that exploited public flaws in popular CMSs, backdooring the websites and patching the exploited vulnerability to prevent other hacking teams to take it over again,” he said.
“Speaking about security precautions for the end users, they remain quite the same: keep your machine and all installed software up to date, do not use privileged/admin account, install an AV and be very careful where you click and what you install.”
Marta Janus, senior threat researcher at Cylance, told SC Media UK that besides killing known malware, the attackers might also want to try and shut down security solutions. “Fortunately, most of the contemporary anti-malware software implements some kind of self-protection mechanism that should prevent the security process from being removed by a simple PowerShell command,” she said. She added that although posing somewhat less risk to confidential data, cryptominers can cause many other problems for businesses, slowing down machines and disrupting workflows, therefore it's important to eliminate infection as soon as it's discovered.
“Miners are usually easy to identify, as their processes tend to be the ones that consume the most CPU power when the machine is idle. Sometimes killing a process and removing the executable is not enough to keep malware from coming back - in such cases, it might be best to re-image the affected machine, or restore it to the state from before infection,” she said.