When the CPU utilization on a computer is high, games become less responsive, frame rate goes down, and gameplay stutters. To diagnose these problems, users will commonly open process manager utilities such as Task Manager, Process Explorer, or Process Hacker to determine if any processes are using too much of the CPU power.

Knowing this, the developer of this mining Trojan does something pretty clever; they terminate the miner when the processes for popular games or process managers are launched. This causes the computer to appear to be operating normally when running certain games and when trying diagnose CPU utilization.

Miner plays hide-and-seek with popular games and utilities

When installed, a file called Iostream.exe will be created in C:\ProgramData and a scheduled task will be created called "WindowsRecoveryCleaner" to launch it using the command line:

schtasks /create /tn WindowsRecoveryCleaner /tr "C:\ProgramData\Iostream.exe" /st 00:00 /sc daily /du 9999:59 /ri 1 /f

The above command will cause the task to execute at 12AM every night, with the task repeating every minute. This allows the miner to restart quickly after it has been terminated.

Scheduled Task Trigger for WindowsRecoveryCleaner
Scheduled Task Trigger for WindowsRecoveryCleaner

Once started, Iostream.exe will inject into the legitimate C:\Windows\system32\attrib.exe executable. Attrib is used to change certain attributes on a file and normally closes after completing. By injecting the miner into attrib.exe, though, the program will not close unless it is terminated.

You can see attrib.exe utilizing 93% of the computer's CPU in the image below.

Renamed Process Explorer Showing Miner
Renamed Process Explorer Showing Miner

While running, the miner will constantly poll the list of running of processes. If it detects processes running for Process Explorer, Task Manager, Process Monitor, Process Hacker, AnVir Task Manager, PlayerUnknown's Battlegrounds (PUBG), Counterstrike: Global Offensive, Rainbox Six, or Dota 2, it will terminate the attrib.exe and Iostream.exe processes.

The full list of monitored processes are:

Taskmgr.exe
taskmgr.exe
ProcessHacker.exe
procexp.exe
procmon.exe
anvir.exe
dota2.exe
csgo.exe
TslGame.exe
RainbowSix.exe

Once a monitored process is terminated, the scheduled task will run the miner again within one minute. This allows the miner to terminate as needed and automatically start again when a blacklisted program is closed.

You can see this behavior in the video below.

 As you can see this is a clever method for a miner to stay undetected as it only runs at times when the increased CPU utilization may not be detected. Currently, the list of games is rather small and I would expect other popular games, such as Fortnite, to be added in the future.

Related Articles:

Drupal Sites Fall Victims to Cryptojacking Campaigns

CoinMiner Campaigns Move to the Cloud via Docker, Kubernetes

WinstarNssmMiner Coinminer Campaign Makes 500,000 Victims in Three Days

Malicious Package Found on the Ubuntu Snap Store

New MassMiner Malware Targets Web Servers With an Assortment of Exploits