A hybrid Monero cryptominer and ransomware bug has hit 20,000 machines in 60 days.

At its previous peak in February, the Monero Miner cryptocurrency ransominer was targeting more than 2,500 users a day, disguised as an antivirus installer. Now, the tricky hybrid malware is on the rise again, this time impersonating an ad blocker and OpenDNS service.

In total, it has infected more than 20,000 users in less than two months, researchers at Kaspersky warned, in a report on Wednesday.

Ransomining lets threat actors take over computing power to mine cryptocurrency — in this case Monero — and also encrypts the data to hold for ransom. In this case, the open-source XMRig ransominer is used as its base, Kaspersky said.

The malware, disguised as an application called “AdShield Pro,” looks and acts like Windows version of the legitimate AdShield mobile ad blocker, in addition to impersonating the OpenDNS service, the Kaspersky report explained.

How the Monero Ransominer Malware Evades Detection

“After the user starts the program, it changes the DNS settings on the device so that all domains are resolved through the attackers’ servers, which, in turn, prevents users from accessing certain antivirus sites, such as Malwarebytes.com,” Kaspersky researchers said. “After substituting the DNS servers, the malware starts updating itself by running update.exe.”

The updater also downloads and runs a modified Transmission torrent client, which sends the ID of the targeted computer along with install details to the command-and-control server (C2), and then downloads the miner, Kaspersky said.

Parts of the files are encrypted, to make it harder to identify, the report added.

“The modified Transmission client runs flock.exe, which first of all calculates the hash of the parameters of the infected computer and the data from the data.pak file, and then compares it with the hash from the lic.data file,” the report explained. “This is necessary because the C2  generates a unique set of files for each machine so as to hinder static detection and prevent the miner from running and being analyzed in various virtual environments.”

At this point, if the hashes don’t match, the execution is stopped, the report said. Otherwise the payload is decrypted and installed.

“To ensure the continuous operation of the miner, a servicecheck_XX task is created in Windows Task Scheduler, where XX are random numbers,” the report added. “The task runs flock.exe with the argument ‘minimize.’”

These attacks appear to be part of an earlier Monero Miner campaign first detected by Avast in August, which disguised the Monero ransominer bug as a Malwarebytes antivirus installer, researchers said.

Overall, users in Russia and Commonwealth of Independent States (CIS) countries are most likely to be targeted, they added.

How to Get Rid of the Miner

Kaspersky added that the miner can be removed by reinstalling the legitimate file that it masquerades as.

If flock.exe is found on the device, researchers recommend uninstalling NetshieldKit, AdShield, OpenDNS and the Transmission torrent. They also recommend deleting these folders, if present:

  • -C:ProgramDataFlock
  • -%allusersprofile%start menuprogramsstartupflock
  • -%allusersprofile%start menuprogramsstartupflock2

If it’s pretending to be a Malwarebytes application, reinstall it — however if the program isn’t showing on the list of apps, delete the following folders:

  • -%program files%malwarebytes
  • -program files (x86)malwarebytes
  • -%windir%.oldprogram filesmalwarebytes
  • -%windir%.oldprogram files (x86)malwarebytes

Finally, they recommend deleting the “servicecheck_XX task in the Windows Task Scheduler.

To avoid the infection in the first place, users should download software only from legitimate sources and avoid pirated versions.

Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community: