360 Total Security Blog

Shutdown Timer CryptoMiner outbreaks and infects over 200,000 within a week

[Tips: Install 360 Total Security to prevent CryptoMiner attacks]

Recently, 360 Security Center discovered a new CryptoMiner Trojan that infected handreds of thousands of computers in one week. This Trojan is installed with various tools like software cracks or plugins, infects user’s computer and installs an unwanted program called Shutdown Timer. Shutdown Timer runs a service which will silently install mining components. We named it “ShutdownTimerBundlerMiner”.

Analysis

The Trojan is bundled with various software cracks or plugins to infect victims‘ computers. The plugins promote Shutdown Timer installation. The website is http://greeenanalytics.com/ and timer-latest.exe will be downloaded.

The program will install %userprofile%\appdata\roaming\software updater\softwareupdater.exe as a system service. The service runs while system starts up and starts a timer by a C# script with parameters.

The code of the timer.

The timer triggers the execution.

It will send requests to server and decide the behavior by responses.

The commands supported by the script:

The “File” command will update mining modules.

The address of the miner is http://greeenanalytics.com/apps/hasher/appmgr.exe

The address of miner module is http://greeenanalytics.com/apps/hasher/appmgr.dll
The module will be registered as a service and will start mining when system starts up. The mining pool address will be written in a configuration file.

Until now, only two antiviruses including 360 Total Security are able to detect these kind of Trojans.

Reminder

Recently, we have found that a lot of CryptoMiner Trojans are actively spreading in the wild. We strongly recommend users to enable antivirus software while installing new applications. Users are also recommended to run virus scan with 360 Total Security to avoid falling victim to CryptoMiner.

Download 360 Total Security: https://www.360totalsecurity.com