NRSMiner

NRSMiner Description

NRSMiner is a harmful program used to carry out crypto-jacking tactics on select targets. NRSMiner was observed in networks belonging to several companies based in Asia. NRSMiner infections were first reported on January 3, 2019. It seems that NRSMiner is a version o XMRig, a program used to mine Monero. NRSMiner has modified this program slightly to carry out attacks where the mining tool is introduced into the victim's devices automatically. NRSMiner seems to target industrial services and closed networks. NRSMiner uses EternalBlue (CVE-2017-0144) in its attack, a vulnerability that was first reported in May 2017, to gain access to the victim's device. Systems that are not patched are vulnerable to NRSMiner and other attacks that are leveraging this vulnerability.

How the NRSMiner Infection Works

The criminals gained access to the victims' computers by gaining backdoor access them. Once NRSMiner is installed on the victim's computers, it would connect to different mining pools and use the victims' systems' processing power to mine cryptocurrency. Once in the victim's computer, NRSMiner creates a service named 'snmpstorsry,' which loads a DLL file named 'snmpstorsrv.dll,' with the goal of carrying out its attack on the victim's computers. The NRSMiner attack typically takes advantage of poorly protected computers, and it seems that the systems where NRSMiner was installed were slow to respond to the NRSMiner attack, allowing the criminals to generate a great amount of revenue at the expense of the victims.

How NRSMiner can Be Used to Carry Out Malware Attacks

Once NRSMiner has been installed onto the victim's devices, it can be used to carry out a variety of operations. The following are some of NRSMiner's functions:

  • NRSMiner can report to its Command and Control server, sending information about the infected computer's version and location.
  • NRSMiner also can report general system information. This may include the user account ID and IP address.
  • NRSMiner can check for downloads for its own software and download and install these, cleaning previous versions of NRSMiner from the victim's computer.
  • NRSMiner can receive instructions related to mining Monero on the victim's device.

When NRSMiner is being installed, it will be downloaded from a corrupted IP address, often associated with a domain name that was hijacked by the attackers. NRSMiner is installed so that it runs in the background, using the infected computer's resources to generate revenue. Mining Monero is a resource intensive operation that makes the affected computers slow and unstable. Because of this, the NRSMiner attacks' symptoms are reflected in the computers that run poorly and show numerous problems typically.

Preventing the NRSMiner Attacks and Similar Infections

There are many measures that computer users and companies can take to ensure that the NRSMiner attacks are not carried out and other infections leveraging the Eternal Blue vulnerability for their installation do not take place on their devices. The following are some examples of the measures that can limit the extent of these attacks:

  • Ensure that all security software is fully updated.
  • Ensure that all software is properly patched.
  • Use a strong firewall and ensure that it is configured to block unauthorized traffic, such as communications with Command and Control servers.
  • Ensure that all software and login accounts are protected with strong passwords.
  • Disable any software or platforms that are not necessary and may be vulnerable to potential infections.

Crypto jacking tactics like NRSMiner cause visible symptoms that are often very obvious due to the poor performance of the affected device. Because of this, it is very recommended that computer user monitor their system performance regularly and act in case their computers are performing slowly or becoming more unstable, which may indicate an infection like NRSMiner.