Security News Cryptocurrency Miner Infects Windows PCs via EternalBlue and WMI

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
A new malware family detected under the name of CoinMiner is causing users and security firms alike loads of problems, being hard to stop or detect due to the combination of various unique features.

The malware — a cryptocurrency miner — uses the EternalBlue NSA exploit to infect victims and the WMI (Windows Management Instrumentation) toolkit as a method to run commands on infected systems.

In addition, CoinMiner also runs in memory (fileless malware), and uses multiple layers of command and control servers to deploy the multitude of scripts and components it needs to infect victims.

All of these make a deadly mixture of features that spell trouble for outdated machines and systems running antivirus solutions not up to par with the latest infection techniques.

Avoid getting infected with CoinMiner by disabling SMBv1...
To avoid getting infected with CoinMiner, there are a few precautionary measures that users need to take.

The simplest solution is to prevent the malware's first infection step, which is EternalBlue, an SMB exploit developed by the NSA, leaked online by a hacker group known as The Shadow Brokers, and used in the WannaCry and NotPetya ransomware outbreaks.

Users should make sure they have the MS17-010 Microsoft security patch installed, or at least disable the SMBv1 protocol on their systems, so CoinMiner won't have any way of reaching their computers.

... and WMI
In situations where this protocol is crucial for network interoperability, CoinMiner infections can still be avoided if users protect against the malware's second exploitation stage, which is the usage of WMI — a set of tools built into all Windows versions.

CoinMiner uses WMI to download scripts and other components needed to get persistence on each host, and later to download and launch the actual CoinMiner binary.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top