Cyber ​​security researchers have discovered and analyzed a worm-cryptominer combo that uses a series of exploits to move sideways and compromise the devices of its victims. This malware combines Python and PowerShell to create a cryptocurrency miner, which also has a Worm component that allows it to move sideways and infect other victims by using such vulnerabilities.

This software has been detected for the first time following a chain attack of a popular driver download application called DriveThatLife. It has been discovered that a component of DriveTheLife, which normally downloads and executes files from legitimate domains, was manipulated to download malicious content to the victim's machine from domains managed by the attackers.


The malware has also been designed to be able to check twice a second if processes from a predefined list are running on the system for the purpose of removing the svchost.exe if necessary. The malware also features CPU and GPU mining components and a private RSA key is used for signing C&C communications.

NSA Exploits used by Worm-Cryptominer to Attack Systems

The list of processes contains mainly games such as League of Legends, Counterstrike, Grand Theft Auto - City Vice, as well as the Windows Task Manager and the Steam Game Launcher. The researchers stated that this suggested that the svchost.exe process is performing tasks that require large resources and that it would be noticed if any games were running.

This software first tries to infect the local networks to which the infected machine is connected. Then all public IP addresses sharing the same CIDR/24 subnet as that of the computer. Finally using PowerShell the software also attempts to infect the identified DNS servers to which the computer is already connected.

  • Delivered via supply chain attack on PUA application
  • Moves laterally using advanced tools and unpatched vulnerabilities
  • Stays stealthy by pausing crypto mining if performance-intensive tasks, such as popular games, are running
  • Features both CPU and GPU mining components
  • Full timeline and changelog on how modules were updated
  • Private RSA key used for signing C&C
  • Communication publicly available