WinstarNssmMiner is a cryptocurrency mining malware that was detected targeting Windows computers by Qihoo 360 Total Security over 500 times in a span of 3 days. Once a system is infected with the malware, it is difficult to remove, and will ultimately crash your computer if it detects that you are trying to remove it. Once a victim is infected, if the malware detects that system is running Avast or Kaspersky antivirus products, it will automatically quit to avoid any confrontation. If neither of those antivirus solutions are detected, two svchost.exe system processes are created and injected with malicious code. The first svchost.exe is created to carry out the mining process using the XMRig Monero Miner using four different mining pools that are utilized based on the parameters of the system. The second svchost.exe process watches for other antivirus processes that it can shut down to avoid detection, and also watches to see if the victim tries to stop the mining process. If the victim does try to stop the XMRig mining process, the malware crashes the system and requires a restart.

Reporting and Technical Details:

  • May 2018: CryptoMiner, WinstarNssmMiner, Has Made a Fortune By Brutally Hijacking Computers. (Qihoo 360)