MassMiner is a cryptocurrency-mining malware that has been observed to use worm like capabilities to spread through multiple exploits. First, to find a vulnerable system, MassMiner uses a reconnaissance tool called MassScan which can scan the internet in under six minutes. The malware looks for systems that still contain these three vulnerabilities; WebServer Exploit (CVE-2017-10271), EternalBlue (CVE-2017-0143), and Apache Struts Exploit (CVE-2017-5638). Once the malware infects a system, it begins the process of maintaining persistence. MassMiner will make copies of itself in the startup folder, and schedule tasks to execute its components. To avoid detection, a command is used to kill the Windows Firewall, making it able to talk to the C&C server. After the firewall is turned off, a configuration file is downloaded from the C&C server that specifies which server to get updates from, the executable to infect other machines with, and the wallet address to send the mined Monero cryptocurrency. The mining process is carried out by the malware utilizing the popular XMRig Monero miner.  Additionally, the malware installs the Gh0st RAT that communicates with the domain rat.kingminer[.]club.

Reporting and Technical Details:

  • May 2018: MassMiner Malware Targeting Web Servers. (Alien Vault)

Image Source: BleepingComputer


WinstarNssmMiner is a cryptocurrency mining malware that was detected targeting Windows computers by Qihoo 360 Total Security over 500 times in a span of 3 days. Once a system is infected with the malware, it is difficult to remove, and will ultimately crash your computer if it detects that you are trying to remove it. Once a victim is infected, if the malware detects that system is running Avast or Kaspersky antivirus products, it will automatically quit to avoid any confrontation. If neither of those antivirus solutions are detected, two svchost.exe system processes are created and injected with malicious code. The first svchost.exe is created to carry out the mining process using the XMRig Monero Miner using four different mining pools that are utilized based on the parameters of the system. The second svchost.exe process watches for other antivirus processes that it can shut down to avoid detection, and also watches to see if the victim tries to stop the mining process. If the victim does try to stop the XMRig mining process, the malware crashes the system and requires a restart.

Reporting and Technical Details:

  • May 2018: CryptoMiner, WinstarNssmMiner, Has Made a Fortune By Brutally Hijacking Computers. (Qihoo 360)