An information security consultant from Belgium discovered an unusual script for the Windows PowerShell console. Xavier Mertens (Xavier Mertens) reported a malware that masquerades as a printer driver, and after installation runs the program to generate Monero.
The Fight For CPU Cycle
Miner not only uses computer resources to enrich his owner but also competes with other processes for the available computing power. Once on the device, it scans the active applications and unloads from memory those that can prevent it from maximally occupying the CPU.
The malicious code contains a list of processes that are not critical to Windows, which, nevertheless, can seriously load the computer. It is curious that the script searches and completes not only normal programs but also Trojans that are used to generate cryptocurrency.
The list of competing applications, wired in the source code of the malware, is quite extensive and includes 34 items. The miner itself is displayed in the task manager as AMDDriver64. The malicious program has two options – for 32-bit and 64-bit versions of Windows. The computer downloads the files hpdriver.exe or hpw64.exe, respectively.
Malicious generates Monero for a single purse, whose address is specified in the malware code. At the moment, the account is active and continues to replenish with cryptocurrency.
It is difficult to determine the identity of the attacker as one of the main advantages of Monero(XMR) is its anonymity and security feature. This is often used by cybercriminals. Ranging from site mining monero through user CPU to Andriod apps installed with mining scripts; In all cases, it is precisely Monero, which is gradually becoming one of the most criminal currencies in the world.