When the CPU utilization on a computer is high, games become less responsive, frame rate goes down, and gameplay stutters. To diagnose these problems, users will commonly open process manager utilities such as Task Manager, Process Explorer, or Process Hacker to determine if any processes are using too much of the CPU power.
Knowing this, the developer of this mining Trojan does something pretty clever; they terminate the miner when the processes for popular games or process managers are launched. This causes the computer to appear to be operating normally when running certain games and when trying diagnose CPU utilization.
When installed, a file called Iostream.exe will be created in C:\ProgramData and a scheduled task will be created called "WindowsRecoveryCleaner" to launch it using the command line:
schtasks /create /tn WindowsRecoveryCleaner /tr "C:\ProgramData\Iostream.exe" /st 00:00 /sc daily /du 9999:59 /ri 1 /f
The above command will cause the task to execute at 12AM every night, with the task repeating every minute. This allows the miner to restart quickly after it has been terminated.
Once started, Iostream.exe will inject into the legitimate C:\Windows\system32\attrib.exe executable. Attrib is used to change certain attributes on a file and normally closes after completing. By injecting the miner into attrib.exe, though, the program will not close unless it is terminated.
You can see attrib.exe utilizing 93% of the computer's CPU in the image below.
While running, the miner will constantly poll the list of running of processes. If it detects processes running for Process Explorer, Task Manager, Process Monitor, Process Hacker, AnVir Task Manager, PlayerUnknown's Battlegrounds (PUBG), Counterstrike: Global Offensive, Rainbox Six, or Dota 2, it will terminate the attrib.exe and Iostream.exe processes.
The full list of monitored processes are:
Taskmgr.exe taskmgr.exe ProcessHacker.exe procexp.exe procmon.exe anvir.exe dota2.exe csgo.exe TslGame.exe RainbowSix.exe
Once a monitored process is terminated, the scheduled task will run the miner again within one minute. This allows the miner to terminate as needed and automatically start again when a blacklisted program is closed.
You can see this behavior in the video below.
As you can see this is a clever method for a miner to stay undetected as it only runs at times when the increased CPU utilization may not be detected. Currently, the list of games is rather small and I would expect other popular games, such as Fortnite, to be added in the future.