Security researchers have spotted the first cryptocurrency miner that includes a "kill list" feature that shuts down the processes of other coinminers in an attempt to hog the infected computer's mining power only for itself.
Spotted by ISC Sans researcher Xavier Mertens, this coinminer is nothing out of the extraordinary and is just one of the many new cryptocurrency-mining-focused malware strains that have appeared since the start of the year, when most of cybercrime landscape shifted from ransomware operations to coinminer distribution.
But unlike most of its competitors, the author of this coinminer has understood that the market has been getting pretty crowded, and it's getting harder and harder to infect new devices without a few other similar trojans infecting the same PC and having to battle over CPU and GPU computational cycles.
To counteract the rising number of competing malware, the author of this trojan has put some serious work in analyzing his rivals and assembled a list of OS processes under which competing coinminers might be running.
So whenever his coinminer infects a new PC, the trojan will go through the list and kill any local OS process that matches one of the entries.
Silence Carbon xmrig32 nscpucnminer64 mrservicehost servisce svchosts3 svhosts system64 systemiissec taskhost vrmserver vshell winlogan winlogo logon win1nit wininits winlnlts taskngr tasksvr mscl cpuminer sql31 taskhots svchostx xmr86 xmrig xmr win1ogin win1ogins ccsvchst nscpucnminer64 update_windows
Mertens argues that security researchers could also benefit from this malware author's work, and use the list above to scan for signs that a machine might have been infected with a coinminer.
But this cryptocurrency mining malware is not the first malware strain to use a so-called "kill list." For example, the Shifu banking trojan has been using a similar feature since 2015, killing processes associated with other banking trojans.
Furthermore, even if it's not a kill list per-se, most of today's advanced IoT malware strains will take protective measures after infecting a router or IoT device, such as closing Telnet or SSH ports to prevent the device from being taken over by another strain. The BrickerBot, Wifatch, and Mirai malware are known for such behavior.
Malware hashes and other indicators of compromise (IOCs) can be found in Mertens' ISC Sans report.