Fileless cryptocurrency miner CoinMiner uses NSA EternalBlue exploit to spread

Pierluigi Paganini August 22, 2017

A new fileless miner dubbed CoinMiner appeared in the wild, it uses NSA EternalBlue exploit and WMI tool to spread.

A new strain of Cryptocurrency Miner dubbed CoinMiner appeared in the wild and according to the experts it is hard to detect and infects Windows PCs via EternalBlue NSA exploit.

CoinMiner is a fileless malware that leverages the WMI (Windows Management Instrumentation) toolkit as a method to run commands on infected systems.

“This threat uses WMI (Windows Management Instrumentation) as its fileless persistence mechanism. Specifically, it used the WMI Standard Event Consumer scripting application (scrcons.exe) to execute its scripts. To enter a system, the malware uses the EternalBlue vulnerability – MS17-010. The combination of fileless WMI scripts and EternalBlue makes this threat extremely stealthy and persistent.” reads the analysis published by Trend Micro.

The analysis of the JScript revealed that the attackers used multiple layers of C&C servers to quickly update the appropriate servers and components and to avoid detection.

CoinMiner is not the first miner that leverages the EternalBlue exploit to infect victims, on May security experts at ProofPoint discovered that many machines weren’t infected by WannaCry because they were previously infected by the Adylkuzz miner.

Trend Micros shared best practices to avoid being infected with CoinMiner, for example in order to prevent the malware spreading through the exploitation of the EternalBlue, users should check they have installed the MS17-010 Microsoft security patch, or disable the SMBv1 protocol on their systems.

We said the CoinMiner leverages WMI in the attack chain to download scripts and other components needed to get persistence on the infected machine and to download and launch the CoinMiner binary.


Disabling WMI on systems, or at least restricting WMI access, could be efficient in contrasting the threat.

Microsoft provided instructions for disabling SMBv1 and WMI:

Further details about CoinMiner are available in the report published by Trend Micro.

[adrotate banner=”9″] [adrotate banner=”12″]  


Pierluigi Paganini

(Security Affairs – CoinMiner, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment