When a user may notice high utilization of their CPU resources it is often attributed to known processes such as games or demanding applications, however with the rise of cryptocurrency malware, many users may have previously noticed an increase in their CPU load and became suspicious that something is not right with their computer, consequently prompting further investigation.
While most of the applications are found in task manager or process explorer this malware actually terminates itself when a user opens the application that monitors resource utilization of the other applications. it also terminates itself when popular demanding games or applications are running to help avoid causing alarm.
When the miner installs itself on the victims computer it creates a file called Iostream.exe at C:\ProgramData and a task scheduler will be created with the name of “WindowsRecoveryCleaner” that launches itself using the command line.
schtasks /create /tn WindowsRecoveryCleaner /tr "C:\ProgramData\Iostream.exe" /st 00:00 /sc daily /du 9999:59 /ri 1 /f
When the application is started it inserts into a legitimate C:\Windows\System32\attrib.exe and the attrib.exe will not terminate unless it is terminated manually. When running, the miner will run a background script that actually determines whether to terminate itself or not.
The miner checks if any popular resource demanding applications are running, if so the miner monitors the application until it closes. Once the application closes the miner will start mining again.
This method will help the miner to stay undetected as the malware only runs at the times when increased CPU utilization is not detected. The current list of applications and games is small so that miner only limited to specific applications. If it detects processes running for Process Explorer, Task Manager, Process Monitor, Process Hacker, AnVir Task Manager, PlayerUnknown’s Battlegrounds (PUBG), Counterstrike: Global Offensive, Rainbox Six, or Dota 2, it will terminate the attrib.exe and Iostream.exe processes.