Home Malware Programs Malware NRSMiner

NRSMiner

Posted: January 14, 2019

NRSMiner is a cryptocurrency miner Trojan that uses your PC's hardware for generating Monero for a third-party's account. NRSMiner spreads by searching for vulnerable systems over local networks automatically and includes both advanced stealth features that hide it from casual sight. Have your anti-malware products delete NRSMiner immediately, double-check the security status of your LANs, and update all associated software for blocking any future exploitation through the same means.

Vietnam Becomes a Little More Blue

An update to the preexisting NRSMiner campaign is hitting hard Vietnam especially, with over half the verifiable infections coming from Windows systems in that country. However, other parts of Asia and the Middle East, ranging from China and Malaysia to Iran also are struggling with unauthorized access to their networks for crypto-mining purposes. NRSMiner's update, like the DBGer Ransomware, the SkyFile Ransomware, or the competing Adylkuzz Crypto-Miner, is leveraging the EternalBlue exploit for its installations.

NRSMiner spreads by scanning for any available machines through port 445 that have yet to patch the EternalBlue SMB vulnerability that owes its development to the United States's National Security Agency. It cements the attack with the DoublePulsar backdoor and uses slightly different installation methods for 32-bit versus 64-bit Windows PCs. As usual, malware experts find NRSMiner injecting its mining module into the preexisting svchost.exe process, which is on all Windows machines, for hiding while it mines.

The mining feature uses the XMRig's code for creating Monero cryptocurrency. While it does so, it may cause spikes in hardware temperature, low memory, and instigate various performance issues. In extreme cases, prolonged cryptocurrency mining under unsafe setups, such as those that a remote attacker determines, even may cause hardware damage or reduce the lifespan of your CPU or GPU. Additionally, malware experts can verify NRSMiner including some limited data-exfiltrating features that may compromise logins and other credentials.

Collapsing NRSMiner's Tunnels of Free Money

NRSMiner is an excellent example of the critical nature of updating one's software regularly; a 2017-dated patch from Microsoft will close the EternalBlue exploit that the Trojan uses for installing itself. Until the patch's implementation, the users should disable SMBv1 as a stopgap measure. Since NRSMiner includes a self-updating feature, it may add new functionality that this article, currently, doesn't cover, although, for now, malware experts reaffirm the threat's focus on XMRig-based Monero mining as its primary feature.

Disabling network connectivity is essential for keeping NRSMiner from infecting new systems opportunistically. While NRSMiner doesn't create an independent memory process and, likewise, goes through some steps for hiding its executables inside of Windows' core locations, most security and AV products should identify it adequately. Have your anti-malware programs eliminate NRSMiner before taking other steps for reevaluating the integrity of your network and hardware, as is appropriate.

As already mentioned, NRSMiner is far from being the only threat using patchable exploits for purposes ranging from the theft of data to blocking your files to hijacking your processor. Attacks like those of NRSMiner should be prevented, while possible, lest their capacity for downloading self-fixes create less correctible problems in future days.

Loading...