Miner vs miner: Attack script seeks out and destroys competing currency crafters

There is no honour among CPU thieves

By Richard Chirgwin

Posted in Security, 6th March 2018 04:57 GMT

Cryptocurrency-mining malware-scum have started to write code that evicts rivals from compromised computers.

The miner in question was first noticed by SANS Internet Storm Center handler Xavier Mertens. Mertens spotted the PowerShell script on March 4, and noting that it kills any other CPU-greedy processes it spots on target machines, he wrote: “The fight for CPU cycles started!”

Pre-infection, the attack script checks whether a target machine is 32-bit or 64-bit and downloads files known to VirusTotal as hpdriver.exe or hpw64 (they're pretending to be HP drivers of some kind).

If successfully installed, the attack then lists running processes and kills any it doesn't like. Mertens noted that alongside ordinary Windows stuff, the list of death-marked processes includes many associated with cryptominers, some of which are listed below.

Silence
Carbon
xmrig32
nscpucnminer64
cpuminer
xmr86
xmrig
xmr

Mertens wrote that the script also checks for processes associated with security tools.

Marten's next post is also worth a look if you're a Linux admin. He followed up on this Tweet from ESET's Michal Malik.

It's a bash script that tries to push a miner onto Linux boxes, along with scanning the Internet for Windows machines vulnerable to the NSA's EternalBlue attack. ®

Sign up to our NewsletterGet IT in your inbox daily

11 Comments

More from The Register

Brit bank Barclays' Kaspersky Lab diss: It's cyber balkanisation, hiss infosec bods

Analysis It's 2017: Is the splinternet nearer than ever?

'We've nothing to hide': Kaspersky Lab offers to open up source code

Response to US fretting over alleged ties to Russian snoops

WikiLeaks drama alert: CIA forged digital certs imitating Kaspersky Lab

Vault 8 release says spooks used disguise to siphon off data

Homeland Security drops the hammer on Kaspersky Lab with preemptive ban

Government departments have 90 days to rip and replace

Please, pleeeease let me ban Kaspersky Lab from US govt PCs – senator

Who needs actual evidence when you're scared of Russia?

Kaspersky Lab US staff grilled by Feds in nighttime swoop

Also, update your Kaspersky Anti-Virus File Server – before you get hacked

Roses are red, Kaspersky is blue: 'That ban's unconstitutional!' Boo hoo hoo

New front opens in Russian firm's legal fight with US gov

Kaspersky shrugs off government sales ban proposal

It's not like we sell to the Feds, so go ahead and ban us!

SCOLD WAR: Kaspersky drags Uncle Sam into court to battle AV ban

Russian biz sues US govt for torpedoing anti-malware tool installations

Kaspersky dragged into US govt's trashcan as weaponized blockchain agile devops mulled

Updated Trump signs defense law with No Eugenes clause, Kaspersky weighs options