| Name | Nrsminer |
| Additional Names | Cryptominer |
| Type of Malware | Botnet |
| Date of Initial Activity | 2018 |
| Motivation | Mine Monero Cryptocurrency |
| Attack Vectors | Software vulnerability exploits (such as the presence of the aforementioned EternalBlue exploit), and infected files/documents and application installers (executable files). Also, infection via the Updater module |
| Targeted System | All systems |
| Associated Groups | APT41 |
Overview
NSRMiner is a cryptominer that surfaced around November 2018, and was mainly spread in Asia, specifically Vietnam, China, Japan and Ecuador. After the initial infection, it uses the famous EternalBlue SMB exploit to propagate to other vulnerable computers in internal networks and eventually starts mining the Monero (XMR) Cryptocurrency.
NRSMiner can be downloaded by anyone who wishes to use their CPU resources for cryptocurrency mining, however, many cyber criminals use other users’ computers to do this (often without their knowledge).
Targets
Attacked regular people.
Tools/ Techniques Used
A system that has been infected with an older version of NRSMiner (and has the wmassrv service running) will connect to tecate[.]traduires[.]com to download an updater module to the %systemroot%\temp folder as tmp[xx].exe, where [xx] is the return value of the GetTickCount() API. When this updater module is executed, it downloads another file to the same folder from one of a series of hard-coded IP addresses.
On a system that is already infected with an older version of NRSMiner, the malware will delete all components of its older version before infecting it with the newer one. To remove the prior version of itself, the newest version refers to a list of services, tasks and files to be deleted that can be found as strings in the snmpstorsrv.dll file; to remove all older versions, it refers to a list that is found in the MarsTraceDiagnostics.xml file. In the latest NRSMiner version (2019), wininit.exe is responsible for handling its exploitation and propagation activities.
Wininit.exe decompresses the zipped data in %systemroot%\AppDiagnostics\blue.xml and unzips files to the AppDiagnostics folder. Among the unzipped files is one named svchost.exe, which is the Eternalblue – 2.2.0 exploit executable.
It then deletes the blue.xml file and writes 2 new files named x86.dll and x64.dll in the AppDiagnostics folder. If the vulnerable system is successfully exploited, Wininit.exe then executes spoolsv.exe, which is the DoublePulsar – 1.3.1 executable file. This file installs the DoublePulsar backdoor onto the exploited system.
Depending on the operating system of the target, either the x86.dll or x64.dll file is then transferred by Wininit.exe and gets injected into the targeted system’s lsass.exe by the spoolsv.exe backdoor. NRSMiner uses the XMRig Monero CPU miner to generate units of the Monero cryptocurrency.
Impact / Significant Attacks
In 2021, it was used to infect over 1 million devices worldwide.
