Miner vs miner: Attack script seeks out and destroys competing currency crafters
There is no honour among CPU thieves
Cryptocurrency-mining malware-scum have started to write code that evicts rivals from compromised computers.
The miner in question was first noticed by SANS Internet Storm Center handler Xavier Mertens. Mertens spotted the PowerShell script on March 4, and noting that it kills any other CPU-greedy processes it spots on target machines, he wrote: “The fight for CPU cycles started!”
Pre-infection, the attack script checks whether a target machine is 32-bit or 64-bit and downloads files known to VirusTotal as
hpw64 (they're pretending to be HP drivers of some kind).
If successfully installed, the attack then lists running processes and kills any it doesn't like. Mertens noted that alongside ordinary Windows stuff, the list of death-marked processes includes many associated with cryptominers, some of which are listed below.
Silence Carbon xmrig32 nscpucnminer64 cpuminer xmr86 xmrig xmr
Mertens wrote that the script also checks for processes associated with security tools.
Marten's next post is also worth a look if you're a Linux admin. He followed up on this Tweet from ESET's Michal Malik.
https://t.co/KjDgSgGz94 < infects Linux servers— Michal Malík (@michalmalik) March 2, 2018
1) adds public key to authorized_keys
2) runs a coinminer
3) generates IP ranges, uses masscan
3a) to pwn Windows hosts with EternalBlue, then its payload downloads a PE file
3b) to pwn Linux hosts via Redis & downloads itself on pic.twitter.com/IvWzU1jBqy
It's a bash script that tries to push a miner onto Linux boxes, along with scanning the Internet for Windows machines vulnerable to the NSA's EternalBlue attack. ®