Kaspersky Lab experts detected a new malicious program that hijacks the resources of Windows-based systems to mine the Monero cryptocurrency.
In the current campaign, the malware masquerades as legitimate ad blockers AdShield and Netshield, as well as the OpenDNS service.
The fakes are distributed through specially created sites that can be accessed via a link from search results.
After execution, the malware changes the DNS settings on the device and redirects all user requests to the attackers’ servers, which prevent the victim from accessing certain antivirus sites.
Then the malware sends data about the infected system to its creators and checks for updates.
In the next stage, the fake ad blocker launches a modified Transmission torrent client to download a mining module unique to each infected machine.
The XMRig cryptominer is launched under the guise of a legitimate utility, find.exe. To ensure the service runs continuously, a dedicated task is created in Windows Task Scheduler.
Since the beginning of February, Kaspersky Lab has logged more than 7,000 unique attempts to install counterfeit applications in the current campaign. On peak days, attackers carried out more than 2,500 attacks—primarily in Russia and other CIS countries.
Researchers believe the current attacks are a continuation of the summer campaign identified by Avast. At that time, attackers distributed malware masquerading as the Malwarebytes antivirus installer.
Earlier ForkLog reported that macOS-based computers had long been used by scammers for covert cryptocurrency mining. For five years OSAMiner managed to evade detection.
Subscribe to ForkLog’s channel on YouTube.