Fileless cryptocurrency miner CoinMiner uses NSA EternalBlue exploit to spread

A new fileless miner dubbed CoinMiner appeared in the wild, it uses NSA EternalBlue exploit and WMI tool to spread.

A new strain of Cryptocurrency Miner dubbed CoinMiner appeared in the wild and according to the experts it is hard to detect and infects Windows PCs via EternalBlue NSA exploit.

CoinMiner is a fileless malware that leverages the WMI (Windows Management Instrumentation) toolkit as a method to run commands on infected systems.

“This threat uses WMI (Windows Management Instrumentation) as its fileless persistence mechanism. Specifically, it used the WMI Standard Event Consumer scripting application (scrcons.exe) to execute its scripts. To enter a system, the malware uses the EternalBlue vulnerability – MS17-010. The combination of fileless WMI scripts and EternalBlue makes this threat extremely stealthy and persistent.” reads the analysis published by Trend Micro.

The analysis of the JScript revealed that the attackers used multiple layers of C&C servers to quickly update the appropriate servers and components and to avoid detection.

CoinMiner is not the first miner that leverages the EternalBlue exploit to infect victims, on May security experts at ProofPoint discovered that many machines weren’t infected by WannaCry because they were previously infected by the Adylkuzz miner.

Trend Micros shared best practices to avoid being infected with CoinMiner, for example in order to prevent the malware spreading through the exploitation of the EternalBlue, users should check they have installed the MS17-010 Microsoft security patch, or disable the SMBv1 protocol on their systems.

We said the CoinMiner leverages WMI in the attack chain to download scripts and other components needed to get persistence on the infected machine and to download and launch the CoinMiner binary.

Disabling WMI on systems, or at least restricting WMI access, could be efficient in contrasting the threat.

Microsoft provided instructions for disabling SMBv1 and WMI:

Further details about CoinMiner are available in the report published by Trend Micro.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – CoinMiner, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.