Security researchers from Qihoo 360 Total Security have detected a massive malware campaign spreading a new coinminer, and which appears to have made roughly 500,000 victims in three days alone.
At the heart of this campaign is a new malware strain named WinstarNssmMiner, targeting Windows computers.
Under the hood, WinstarNssmMiner is your typical cryptocurrency-mining malware these days, based on the open-source and legitimate Monero mining utility named XMRig.
Qihoo 360 researchers did not say how WinstarNssmMiner spreads, but they said this coinminer is unique to other cryptocurrency-mining threats active on the market today.
The typical WinstarNssmMiner modus operandi, according to researchers, is the following:
But WinstarNssmMiner also has another surprise in store for infected victims. If a user ever detects the hidden mining operations and tries to shut down the svchost.exe process associated with XMRig, the malware crashes the user's PC, which would then require a restart.
The crash occurs because the malware sets the property of the svchost.exe process to a setting of "CriticalProcess," hence Windows shuts down the PC when the malicious process is terminated.
According to Qihoo 360 researchers, the group behind this operation has managed to make 133 Monero with WinstarNssmMiner, which is around $28,000.
But WinstarNssmMiner is not the only new coinminer campaign Qihoo 360 researchers spotted. They've also run across IdleBuddyMiner, a threat that's completely opposite of WinstarNssmMiner.
Instead of sneakily mining Monero on infected hosts, IdleBuddyMiner asks nicely for permission via a popup.