A new strain of Cryptocurrency Miner dubbed CoinMiner appeared in the wild and according to the experts it is hard to detect and infects Windows PCs via EternalBlue NSA exploit.
CoinMiner is a fileless malware that leverages the WMI (Windows Management Instrumentation) toolkit as a method to run commands on infected systems.
“This threat uses WMI (Windows Management Instrumentation) as its fileless persistence mechanism. Specifically, it used the WMI Standard Event Consumer scripting application (scrcons.exe) to execute its scripts. To enter a system, the malware uses the EternalBlue vulnerability – MS17-010. The combination of fileless WMI scripts and EternalBlue makes this threat extremely stealthy and persistent.” reads the analysis published by Trend Micro.
The analysis of the JScript revealed that the attackers used multiple layers of C&C servers to quickly update the appropriate servers and components and to avoid detection.
CoinMiner is not the first miner that leverages the EternalBlue exploit to infect victims, on May security experts at ProofPoint discovered that many machines weren’t infected by WannaCry because they were previously infected by the Adylkuzz miner.
Trend Micros shared best practices to avoid being infected with CoinMiner, for example in order to prevent the malware spreading through the exploitation of the EternalBlue, users should check they have installed the MS17-010 Microsoft security patch, or disable the SMBv1 protocol on their systems.
We said the CoinMiner leverages WMI in the attack chain to download scripts and other components needed to get persistence on the infected machine and to download and launch the CoinMiner binary.
Disabling WMI on systems, or at least restricting WMI access, could be efficient in contrasting the threat.
Microsoft provided instructions for disabling SMBv1 and WMI:
Further details about CoinMiner are available in the report published by Trend Micro.
[adrotate banner=”9″] | [adrotate banner=”12″] |
(Security Affairs – CoinMiner, malware)
[adrotate banner=”5″]
[adrotate banner=”13″]
BlackBerry reported that the financially motivated group FIN7 targeted the IT department of a large…
An international law enforcement operation led to the disruption of the prominent phishing-as-a-service platform LabHost.…
Russia-linked APT Sandworm employed a previously undocumented backdoor called Kapeka in attacks against Eastern Europe since…
Cisco has addressed a high-severity vulnerability in its Integrated Management Controller (IMC) for which publicly…
Threat actors are exploiting the CVE-2023-22518 flaw in Atlassian servers to deploy a Linux variant of…
Ivanti addressed two critical vulnerabilities in its Avalanche mobile device management (MDM) solution, that can…
This website uses cookies.