Target bullseye

Security researchers have spotted the first cryptocurrency miner that includes a "kill list" feature that shuts down the processes of other coinminers in an attempt to hog the infected computer's mining power only for itself.

Spotted by ISC Sans researcher Xavier Mertens, this coinminer is nothing out of the extraordinary and is just one of the many new cryptocurrency-mining-focused malware strains that have appeared since the start of the year, when most of cybercrime landscape shifted from ransomware operations to coinminer distribution.

But unlike most of its competitors, the author of this coinminer has understood that the market has been getting pretty crowded, and it's getting harder and harder to infect new devices without a few other similar trojans infecting the same PC and having to battle over CPU and GPU computational cycles.

Thanks for all the fish!

To counteract the rising number of competing malware, the author of this trojan has put some serious work in analyzing his rivals and assembled a list of OS processes under which competing coinminers might be running.

So whenever his coinminer infects a new PC, the trojan will go through the list and kill any local OS process that matches one of the entries.

Silence
Carbon
xmrig32
nscpucnminer64
mrservicehost
servisce
svchosts3
svhosts
system64
systemiissec
taskhost
vrmserver
vshell
winlogan
winlogo
logon
win1nit
wininits
winlnlts
taskngr
tasksvr
mscl
cpuminer
sql31
taskhots
svchostx
xmr86
xmrig
xmr
win1ogin
win1ogins
ccsvchst
nscpucnminer64
update_windows

Mertens argues that security researchers could also benefit from this malware author's work, and use the list above to scan for signs that a machine might have been infected with a coinminer.

"Kill list" feature is not new. Has been seen before.

But this cryptocurrency mining malware is not the first malware strain to use a so-called "kill list." For example, the Shifu banking trojan has been using a similar feature since 2015, killing processes associated with other banking trojans.

Furthermore, even if it's not a kill list per-se, most of today's advanced IoT malware strains will take protective measures after infecting a router or IoT device, such as closing Telnet or SSH ports to prevent the device from being taken over by another strain. The BrickerBot, Wifatch, and Mirai malware are known for such behavior.

Malware hashes and other indicators of compromise (IOCs) can be found in Mertens' ISC Sans report.

Related Articles:

Xbash Malware Deletes Databases on Linux, Mines for Coins on Windows

Cybercriminals Go Phishing For Jaxx Wallet Users

Booz Allen Hamilton Researchers Detail New RtPOS Point-of-Sale Malware

Andromeda Botnet Operator Released With a Slap on the Wrist

World Police Shut Down Andromeda (Gamarue) Botnet