Hackers hide malware in the Windows installation files to mine cryptocurrency

Security researchers say hackers now camouflage cryptocurrencies to mine malware and pass it out as a legitimate Windows installation package. Researchers say the malware, often called Coinminer, uses a series of obfuscation methods to make it particularly difficult to detect.

The discovery comes from security company Trend Micro, which says malware as a Windows Installer MSI file arrives on the victim’s computer, which is worth noting because Windows Installer is a legitimate application for installing software. Using real Windows components makes it look less suspicious and may allow it to bypass certain security filters.

The hacker’s tricks don’t stop there. The researchers pointed out that once installed, the malware directory contains various files that act as bait. In addition, the installer comes with a script that kills any anti-malware processes running on the victim’s computer, as well as the victim’s own cryptocurrency mining module.

The researchers also observed that malware has a built-in self-destruct mechanism that makes detection and analysis more difficult. It removes every file in its installation directory and removes any installation traces from the system. Although Trend Micro was unable to target the attack link to a specific country, it noticed that the installer used Cyrillic. In all fairness, Cyrillic seems to be very popular among cryptocurrency criminals.