Kaspersky Lab experts have detected a new malicious program stealing the power of Windows-based systems for mining Monero cryptocurrency.
In the current campaign, the malware disguises itself as legitimate ad blockers AdShield and Netshield, as well as the OpenDNS service.
Fakes are distributed through specially created sites, which can be accessed via a link from the search results.
Once launched, the malware changes the DNS settings on the device and redirects all user requests to the cybercriminals’ servers, which prevent the victim from gaining access to the websites of some antivirus programs.
The malware then sends the data of the infected system to its creators and checks for updates.
At the next stage, the fake blocker launches a modified Transmission torrent client to download a mining module that is unique for each infected machine.
The XMRig cryptominer is launched under the guise of a legitimate find.exe utility. To ensure that this “service” is always running, a special task is created in the Windows Scheduler.
Since the beginning of February, Kaspersky Lab has registered over 7,000 unique attempts to install fake applications as part of the current campaign. On peak days, cybercriminals carried out over 2,500 attacks, mainly in the Russian Federation and other CIS countries.
Researchers believe the current attacks are a continuation of the summer campaign that Avast has uncovered. At that time, attackers distributed malware under the guise of the Malwarebytes antivirus installer.
Hodlmonks previously reported that macOS computers have been used by scammers for a long time for hidden cryptocurrency mining. For five years , OSAMiner managed to avoid detection.