Criminals Are Hijacking Windows Machines to Run Cryptocurrency Miner Malware

Rafia Shaikh
bitcoin mining malware
EternalBlue is to blame... yet again!

A new malware is using the leaked NSA exploit, EternalBlue, to infect Windows machines and hijack them to work on cryptocurrency mining. Security researchers are calling this cryptocurrency mining malware family CoinMiner.

The malware is hard to detect or stop since it uses several techniques to persist on an infected machine. First, it uses the EternalBlue exploit to gain entry into a vulnerable Windows system and then uses the WMI (Windows Management Instrumentation) toolkit to run malicious commands.

Related StoryAlex Casas
Cryptocurrency Mining Hardware Retailer Receives A Large Shipment Of PowerColor, Sapphire, & XFX AMD Radeon GPUs

WMI is used to automate administrative tasks on remote computers and offers the ability to obtain management data from remote computers. But, in this case, once CoinMiner gets access to a system using EternalBlue, the infected machine runs several WMI scripts in the background, including connecting to the attacker's C&C to download the mining malware.

The first-stage C&C server located at hxxp://wmi[.]mykings[.]top:8888/test[.]html contains instructions on where to download the cryptocurrency miner and its components. This also contains the addresses of the second- and third-stage C&C servers.

Our monitoring of the above URL shows that the operation is still active. As noted on the infection diagram, the actual coin-mining payload is downloaded by TROJ_COINMINER.AUSWQ.

Trend Micro wrote in their research that "the combination of fileless WMI scripts and EternalBlue makes this threat extremely stealthy and persistent."

Mitigation and how to avoid falling for this cryptocurrency mining malware

The security researchers have advised the IT administrators to restrict WMI access.

First, restrict (and disable) WMI as needed. It requires administrator rights to be used on a system. Granting access only to specific groups of administrator accounts that need to use WMI would help reduce risk of WMI attacks.

They also recommend using Microsoft's tool that can trace WMI activity. However, disabling WMI on machines that don't need access to it and restricting it on those that do need it, will mitigate the issue.

The easiest way is to install MS17-010, a security patch that fixes the EternalBlue vulnerability. Microsoft had released it in March this year and has since made it available for even the out-of-support Windows XP machines. This particular vulnerability was discovered (and hidden) by the National Security Agency and then leaked by the Shadow Brokers. The vulnerability has so far been used in a number of different campaigns, including the WannaCry ransomware outbreak and Petya ransomware.

Even if you aren't worried about this cryptocurrency mining malware, installing the patch will help you avoid any other EternalBlue-based malware families too.

Share this story

Deal of the Day