This blog post has been created to help explain what is the NRSMiner miner app and how you can try and remove it and prevent it from mining Monero cryptocurrencies on your computer.
A new, very dangerous cryptocurrency miner virus has been detected by security researchers. The malware, called NRSMiner can infect target victims using a variety of ways. The main idea behind the NRSMiner miner is to employ cryptocurrency miner activities on the computers of victims in order to obtain Monero tokens at victims’ expense. The outcome of this miner is the elevated electricity bills and if you leave it for longer periods of time NRSMiner may even damage your computer’s components.
Threat Summary
| Name | NRSMiner |
| Type | Cryptocurrency Miner Virus |
| Short Description | A crypto miner that aims to use the resources of your computer to mine for cryptocurrencies. |
| Symptoms | Your computer may experience slow-downs, overheating, suspicious processes running and other types of unwanted side effects.. |
| Distribution Method | Software vulnerabilities, Bundled downloads. Fake download portals |
| Detection Tool |
See If Your System Has Been Affected by malware
Download
Malware Removal Tool
|
User Experience | Join Our Forum to Discuss NRSMiner. |
NRSMiner — Distribution Methods
The NRSMiner malware uses two popular methods which are used to infect computer targets:
- Payload Delivery via Prior Infections — If an older NRSMiner malware is deployed on the victim systems it can automatically update itself or download a newer version. This is possible via the built-in update command which obtains the release. This is done by connecting to a certain predefined hacker-controlled server which provides the malware code. The downloaded virus will acquire the name of a Windows service and be placed in the %systemroot%\temp location. Important properties and operating system configuration files are changed in order to allow a persistent and silent infection.
- Software Vulnerability Exploits — The latest version of the NRSMiner malware have been found to be caused by the EternalBlue exploits, popularly known for being used in the WannaCry ransomware attacks. The infections are done by targeting open services via the TCP port 445. The attacks are automated by a hacker-controlled framework which looks up if the port is open. If this condition is met it will scan the service and retrieve information about it, including any version and configuration data. Exploits and popular username and password combinations may be done. When the EternalBlue exploit is triggered against the vulnerable code the miner will be deployed along with the DoublePulsar backdoor. This will present the a double infection.
Apart from these methods other strategies can be used as well. Miners can be distributed by phishing emails that are sent in bulk in a SPAM-like manner and depend on social engineering tricks in order to confuse the victims into believing that they have received a message from a legitimate service or company. The virus files can be either directly attached or inserted in the body contents in multimedia content or text links.
The criminals can also create malicious landing pages that can impersonate vendor download pages, software download portals and other frequently accessed places. When they use similar sounding domain names to legitimate addresses and security certificates the users may be coerced into interacting with them. In some cases merely opening them can trigger the miner infection.
Another approach would be to use payload carriers that can be spread using the above-mentioned methods or via file sharing networks, BitTorrent is one of the most popular ones. It is frequently used to distribute both legitimate software and files and pirate content. Two of the most popular payload carriers are the following:
- Infected Documents — The hackers can embed scripts that will install the NRSMiner malware code as soon as they are launched. All of the popular document are potential carriers: presentations, rich text documents, presentations and databases. When they are opened by the victims a prompt will appear asking the users to enable the built-in macros in order to correctly view the document. If this is done the miner will be deployed.
- Application Installers — The criminals can insert the miner installation scripts into application installers across all popular software downloaded by end users: system utilities, productivity apps, office programs, creativity suites and even games. This is done modifying the legitimate installers — they are usually downloaded from the official sources and modified to include the necessary commands.
Other methods that can be considered by the criminals include the use of browser hijackers — dangerous plugins which are made compatible with the most popular web browsers. They are uploaded to the relevant repositories with fake user reviews and developer credentials. In many cases the descriptions may include screenshots, videos and elaborate descriptions promising great feature enhancements and performance optimizations. However upon installation the behavior of the affected browsers will change — users will find that they will be redirected to a hacker-controlled lanidng page and their settings might be altered — the default home page, search engine and new tabs page.
NRSMiner — Analysis
The NRSMiner malware is a classic case of a cryptocurrency miner which depending on its configuration can cause a wide variety of dangerous actions. Its main goal is to perform complex mathematical tasks that will take advantage of the available system resources: CPU, GPU, memory and hard disk space. The way they function is by connecting to a special server called mining pool from where the required code is downloaded. As soon as one of the tasks is downloaded it will be started at once, multiple instances can be run at once. When a given task is completed another one will be downloaded in its place and the loop will continue until the computer is powered off, the infection is removed or another similar event happens. Cryptocurrency will be rewarded to the criminal controllers (hacking group or a single hacker) directly to their wallets.
A dangerous characteristic of this category of malware is that samples like this one can take all system resources and practically make the victim computer unusable until the threat has been completely removed. Most of them feature a persistent installation which makes them really difficult to remove. These commands will make changes to boot options, configuration files and Windows Registry values that will make the NRSMiner malware start automatically once the computer is powered on. Access to recovery menus and options may be blocked which renders many manual removal guides practically useless.
This particular infection will setup a Windows service for itself, following the conducted security analysis ther following actions have been observed:
- Information Harvesting — The miner will generate a profile of the installed hardware components and specific operating system information. This can include anythnig from specific environment values to installed third-party applications and user settings. The complete report will be made in real-time and may be run continuously or at certain time intervals.
- Network Communications — As soon as the infection is made a network port for relaying the harvested data will be opened. It will allow the criminal controllers to login to the service and retrieve all hijacked information. This component can be updated in future releases to a full-fledged Trojan instance: it would allow the criminals to take over control of the machines, spy on the users in real-time and steal their files. Furthermore Trojan infections are one of the most popular ways to deploy other malware threats.
- Automatic Updates — By having an update check module the NRSMiner malware can constantly monitor if a new version of the threat is released and automatically apply it. This includes all required procedures: downloading, installation, cleanup of old files and reconfiguration of the system.
- Applications and Services Modification — During the miner operations the associated malware can hook up to already running Windows services and thrid-party installed applications. By doing so the system administrators may not notice that the resource load comes from a separate process.
These kind of malware infections are particularly effective at carrying out advanced commands if configured so. They are based on a modular framework allowing the criminal controllers to orchestrate all kinds of dangerous behavior. One of the popular examples is the modification of the Windows Registry — modifications strings related by the operating system can cause serious performance disruptions and the inability to access Windows services. Depending on the scope of changes it can also make the computer completely unusable. On the other hand manipulation of Registry values belonging to any third-party installed applications can sabotage them. Some applications may fail to launch altogether while others can unexpectedly stop working.
This particular miner in its current version is focused on mining the Monero cryptocurrency containing a modified version of XMRig CPU mining engine. If the campaigns prove succesful then future versions of the NRSMiner can be launched in the future. As the malware uses software vulnerabilities to infect target hosts, it can be part of a dangerous co-infection with ransomware and Trojans.
Removal of NRSMiner is strongly recommended, since you risk not only a big electricity bill if it’s running on your PC, but the miner may also perform other unwanted activities on it and even damage your PC permanently.
Remove NRSMiner Miner from Your PC
If you want to remove this miner from your PC, be advised that it can delete your files. This is why, we advise you to backup all your important files if on your PC before removing this virus.
To remove NRSMiner miner automatically from your PC, we advise you to follow the removal manual below. It is separated In manual and automatic removal, since this will effectively help delete the virus files permanently. If manual removal does not help, however, we recommend what most researchers advise and that is to download an advanced anti-malware software to run a scan with it on your infected PC. Such program will automatically take care of the NRSMiner miner virus from your computer and will make sure that it’s removed completely plus your PC stays protected in the future too.
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me:
Preparation before removing NRSMiner.
Before starting the actual removal process, we recommend that you do the following preparation steps.
- Make sure you have these instructions always open and in front of your eyes.
- Do a backup of all of your files, even if they could be damaged. You should back up your data with a cloud backup solution and insure your files against any type of loss, even from the most severe threats.
- Be patient as this could take a while.
- Scan for Malware
- Fix Registries
- Remove Virus Files
Step 1: Scan for NRSMiner with SpyHunter Anti-Malware Tool
Step 2: Clean any registries, created by NRSMiner on your computer.
The usually targeted registries of Windows machines are the following:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
You can access them by opening the Windows registry editor and deleting any values, created by NRSMiner there. This can happen by following the steps underneath:
Tip: To find a virus-created value, you can right-click on it and click "Modify" to see which file it is set to run. If this is the virus file location, remove the value.Step 3: Find virus files created by NRSMiner on your PC.
1.For Windows 8, 8.1 and 10.
For Newer Windows Operating Systems
1: On your keyboard press + R and write explorer.exe in the Run text box and then click on the Ok button.
2: Click on your PC from the quick access bar. This is usually an icon with a monitor and its name is either “My Computer”, “My PC” or “This PC” or whatever you have named it.
3: Navigate to the search box in the top-right of your PC's screen and type “fileextension:” and after which type the file extension. If you are looking for malicious executables, an example may be "fileextension:exe". After doing that, leave a space and type the file name you believe the malware has created. Here is how it may appear if your file has been found:
N.B. We recommend to wait for the green loading bar in the navigation box to fill up in case the PC is looking for the file and hasn't found it yet.
2.For Windows XP, Vista, and 7.
For Older Windows Operating Systems
In older Windows OS's the conventional approach should be the effective one:
1: Click on the Start Menu icon (usually on your bottom-left) and then choose the Search preference.
2: After the search window appears, choose More Advanced Options from the search assistant box. Another way is by clicking on All Files and Folders.
3: After that type the name of the file you are looking for and click on the Search button. This might take some time after which results will appear. If you have found the malicious file, you may copy or open its location by right-clicking on it.
Now you should be able to discover any file on Windows as long as it is on your hard drive and is not concealed via special software.
NRSMiner FAQ
What Does NRSMiner Trojan Do?
The NRSMiner Trojan is a malicious computer program designed to disrupt, damage, or gain unauthorized access to a computer system.
It can be used to steal sensitive data, gain control over a system, or launch other malicious activities.
Can Trojans Steal Passwords?
Yes, Trojans, like NRSMiner, can steal passwords. These malicious programs are designed to gain access to a user's computer, spy on victims and steal sensitive information such as banking details and passwords.
Can NRSMiner Trojan Hide Itself?
Yes, it can. A Trojan can use various techniques to mask itself, including rootkits, encryption, and obfuscation, to hide from security scanners and evade detection.
Can a Trojan be Removed by Factory Reset?
Yes, a Trojan can be removed by factory resetting your device. This is because it will restore the device to its original state, eliminating any malicious software that may have been installed. Bear in mind, that there are more sophisticated Trojans, that leave backdoors and reinfect even after factory reset.
Can NRSMiner Trojan Infect WiFi?
Yes, it is possible for a Trojan to infect WiFi networks. When a user connects to the infected network, the Trojan can spread to other connected devices and can access sensitive information on the network.
Can Trojans Be Deleted?
Yes, Trojans can be deleted. This is typically done by running a powerful anti-virus or anti-malware program that is designed to detect and remove malicious files. In some cases, manual deletion of the Trojan may also be necessary.
Can Trojans Steal Files?
Yes, Trojans can steal files if they are installed on a computer. This is done by allowing the malware author or user to gain access to the computer and then steal the files stored on it.
Which Anti-Malware Can Remove Trojans?
Anti-malware programs such as SpyHunter are capable of scanning for and removing Trojans from your computer. It is important to keep your anti-malware up to date and regularly scan your system for any malicious software.
Can Trojans Infect USB?
Yes, Trojans can infect USB devices. USB Trojans typically spread through malicious files downloaded from the internet or shared via email, allowing the hacker to gain access to a user's confidential data.
About the NRSMiner Research
The content we publish on SensorsTechForum.com, this NRSMiner how-to removal guide included, is the outcome of extensive research, hard work and our team’s devotion to help you remove the specific trojan problem.
How did we conduct the research on NRSMiner?
Please note that our research is based on an independent investigation. We are in contact with independent security researchers, thanks to which we receive daily updates on the latest malware definitions, including the various types of trojans (backdoor, downloader, infostealer, ransom, etc.)
Furthermore, the research behind the NRSMiner threat is backed with VirusTotal.
To better understand the threat posed by trojans, please refer to the following articles which provide knowledgeable details.