Security

Miner vs miner: Attack script seeks out and destroys competing currency crafters

There is no honour among CPU thieves

By Richard Chirgwin

11 SHARE

Cryptocurrency-mining malware-scum have started to write code that evicts rivals from compromised computers.

The miner in question was first noticed by SANS Internet Storm Center handler Xavier Mertens. Mertens spotted the PowerShell script on March 4, and noting that it kills any other CPU-greedy processes it spots on target machines, he wrote: “The fight for CPU cycles started!”

Pre-infection, the attack script checks whether a target machine is 32-bit or 64-bit and downloads files known to VirusTotal as hpdriver.exe or hpw64 (they're pretending to be HP drivers of some kind).

If successfully installed, the attack then lists running processes and kills any it doesn't like. Mertens noted that alongside ordinary Windows stuff, the list of death-marked processes includes many associated with cryptominers, some of which are listed below.

Silence
Carbon
xmrig32
nscpucnminer64
cpuminer
xmr86
xmrig
xmr

Mertens wrote that the script also checks for processes associated with security tools.

Marten's next post is also worth a look if you're a Linux admin. He followed up on this Tweet from ESET's Michal Malik.

It's a bash script that tries to push a miner onto Linux boxes, along with scanning the Internet for Windows machines vulnerable to the NSA's EternalBlue attack. ®

Sign up to our NewsletterGet IT in your inbox daily

11 Comments

More from The Register

Adi Shamir visa snub: US govt slammed after the S in RSA blocked from his own RSA conf

RSA 'If someone like me can't get in to give a keynote, perhaps it's time we rethink where we organize our events'

PuTTY in your hands: SSH client gets patched after RSA key exchange memory vuln spotted

Bunch of bugs stomped with version 0.71

No way, RSA! Security conference's mobile app embarrassingly insecure

Sorry about the hard-coded passwords, can we sell you some crypto now?

RSA coughs to critical-rated bug in its authentication SDK

Yup, that means if you code with it, your projects inherit the problem. Yay!

AWSome, S3 storage literally costs pennies

Just ignore the retrieval fees and relatively lower resilience

You blithering Ajit! Huawei burns Pai for FCC sh*tlist proposal

American broadband bossman's ban plan panned

After last year's sexism shambles, 2019's RSA infosec bash has upped its inclusivity game

RSA Latest diversity push welcome amid fears the infosec circuit is 'moving backwards'

Amazon tries to ruin infosec world's fastest-growing cottage industry (finding data-spaffing S3 storage buckets)

AWS comes up with blanket policies to smother public-facing cloud silos

US China-watcher warns against Middle Kingdom tech dominance

5G, IoT, and tech supply chains should go under spotlight

Oh no Xi didn't?! China's hackers nick naval tech blueprints, diddle with foreign elections to boost trade – new claim

RSA In the Navy, you can sail the 7 seas! In the Navy, you'll get hacked by the Chinese!