NSISMiner mining trojan variant makes a comeback and has obtained illegal gains of 18 Monero coins

Tencent Security Threat Intelligence Center has found that the MyKings botnet, which was created in February 2017, has become more active recently. The main threats of this botnet are to control zombie computers to carry out DDoS attacks, configure proxy servers, spread remote control Trojans, and spread mining Trojans. In addition, the group has recently begun to use newly registered domain names to spread the NSISMiner mining Trojan, and at the same time rob Bitcoin miners and people involved in digital cryptocurrency transactions.

Analysis shows that the NSISMiner mining trojan that is active this time not only enables new mining pools and wallets for mining, but also hijacks the clipboard. Once it monitors a digital virtual currency transaction on the infected computer, it will immediately replace the receiving wallet address with the wallet address controlled by the virus, easily robbing the victim's funds. The NSISMiner mining trojan spread by the MyKings botnet has earned 18 XMR (Monero), equivalent to about 5,600 yuan. If the "wallet" of digital currency is compared to a bank card, then the wallet address is equivalent to the bank card number. The wallet address is a long string of characters. In order to avoid errors during transactions, the copy and paste method is often used. Therefore, the NSISMiner mining trojan can easily monitor and hijack the clipboard.

So far, the spread of the mining trojan has shown a small upward trend. Tencent Security reminds all corporate users to raise their awareness of network security and close unnecessary ports and shared files to prevent illegal hackers from intrusion, tampering and destruction.

(Figure: MyKings botnet variants have shown a slight growth trend recently)

Since its birth in February 2017, the MyKings botnet has been known for its rapid mutation. In May last year, the Trojan used NSIS plug-in and script functions to execute, update and write startup items of the mining Trojan, and also had the ability to spread through the LAN through SMB blasting; in October, the Trojan variant added a wallet address hijacking module, which has the ability to detect 25 digital cryptocurrency wallet addresses such as Bitcoin, Monero, Ethereum, and related card numbers of electronic payment systems (WebMoney, YandexMoney, Steam) in the clipboard content.

(Picture: The new mining pool of the MyKings botnet variant has mined 18 XMR)

This MyKings botnet variant not only spreads malicious code for mining, but also actively spreads in the LAN using SMB brute force attacks, which poses a serious threat to corporate users. Ma Jinsong, head of Tencent Security Anti-Virus Lab and security expert of Tencent Computer Manager, reminds users to close unnecessary ports as much as possible; recommends LAN users not to use weak passwords to prevent viruses from actively spreading in the LAN through SMB brute force attacks; and recommends corporate users to use Tencent Yudian Terminal Security Management System to protect computer security.

(Photo: Tencent Yudian Terminal Security Management System)

It is understood that in addition to being able to detect and kill virus attacks in a targeted manner, Tencent Yudian Terminal Security Management System also cooperates with products such as Tencent Yujie Advanced Threat Detection System, Tencent Yujian Security Situation Awareness Platform and Tencent Yuzhi Cyberspace Risk Radar to establish a security system for enterprise users in terms of terminal security, border security, website monitoring, and unified monitoring, integrating risk monitoring, analysis, early warning, response and visualization. It provides industry solutions and provides all-round and three-dimensional protection for the network security of enterprise users.