Target bullseye

Security researchers have spotted the first cryptocurrency miner that includes a "kill list" feature that shuts down the processes of other coinminers in an attempt to hog the infected computer's mining power only for itself.

Spotted by ISC Sans researcher Xavier Mertens, this coinminer is nothing out of the extraordinary and is just one of the many new cryptocurrency-mining-focused malware strains that have appeared since the start of the year, when most of cybercrime landscape shifted from ransomware operations to coinminer distribution.

But unlike most of its competitors, the author of this coinminer has understood that the market has been getting pretty crowded, and it's getting harder and harder to infect new devices without a few other similar trojans infecting the same PC and having to battle over CPU and GPU computational cycles.

Thanks for all the fish!

To counteract the rising number of competing malware, the author of this trojan has put some serious work in analyzing his rivals and assembled a list of OS processes under which competing coinminers might be running.

So whenever his coinminer infects a new PC, the trojan will go through the list and kill any local OS process that matches one of the entries.

Silence
Carbon
xmrig32
nscpucnminer64
mrservicehost
servisce
svchosts3
svhosts
system64
systemiissec
taskhost
vrmserver
vshell
winlogan
winlogo
logon
win1nit
wininits
winlnlts
taskngr
tasksvr
mscl
cpuminer
sql31
taskhots
svchostx
xmr86
xmrig
xmr
win1ogin
win1ogins
ccsvchst
nscpucnminer64
update_windows

Mertens argues that security researchers could also benefit from this malware author's work, and use the list above to scan for signs that a machine might have been infected with a coinminer.

"Kill list" feature is not new. Has been seen before.

But this cryptocurrency mining malware is not the first malware strain to use a so-called "kill list." For example, the Shifu banking trojan has been using a similar feature since 2015, killing processes associated with other banking trojans.

Furthermore, even if it's not a kill list per-se, most of today's advanced IoT malware strains will take protective measures after infecting a router or IoT device, such as closing Telnet or SSH ports to prevent the device from being taken over by another strain. The BrickerBot, Wifatch, and Mirai malware are known for such behavior.

Malware hashes and other indicators of compromise (IOCs) can be found in Mertens' ISC Sans report.

Related Articles:

Linux CryptoMiners Are Now Using Rootkits to Stay Hidden

Make-A-Wish Website Compromised for Cryptojacking Operation

New LamePyre macOS Malware Sends Screenshots to Attacker

Android Malware Tricks User to Log into PayPal to Steal Funds

Emotet Banking Trojan Loves U.S.A Internet Providers