Published On: Tue, Aug 22nd, 2017

Criminals Are Hijacking Windows Machines to Run Cryptocurrency Miner Malware

A new malware is regulating a leaked NSA exploit, EternalBlue, to taint Windows machines and steal them to work on cryptocurrency mining. Security researchers are job this cryptocurrency mining malware family CoinMiner.

The malware is tough to detect or stop given it uses several techniques to insist on an putrescent machine. First, it uses a EternalBlue feat to benefit entrance into a exposed Windows complement and afterwards uses a WMI (Windows Management Instrumentation) toolkit to run antagonistic commands.

alphabay-bitcoin-illegal-drugsRelated Feds Bust HumboldtFarms, One of a Massive AlphaBay Drug Rings

WMI is used to automate executive tasks on remote computers and offers a ability to obtain government information from remote computers. But, in this case, once CoinMiner gets entrance to a complement regulating EternalBlue, a putrescent appurtenance runs several WMI scripts in a background, including joining to a attacker’s CC to download a mining malware.

The first-stage CC server located during hxxp://wmi[.]mykings[.]top:8888/test[.]html contains instructions on where to download a cryptocurrency miner and a components. This also contains a addresses of a second- and third-stage CC servers.

Our monitoring of a above URL shows that a operation is still active. As remarkable on a infection diagram, a tangible coin-mining cargo is downloaded by TROJ_COINMINER.AUSWQ.

Trend Micro wrote in their investigate that “the multiple of fileless WMI scripts and EternalBlue creates this hazard intensely cat-like and persistent.”

Mitigation and how to equivocate descending for this cryptocurrency mining malware

The confidence researchers have suggested a IT administrators to shorten WMI access.

celebrity-nude-photos-hackersRelated Another Celebgate? Hackers Leak Private Photos of Miley Cyrus, Kristen Stewart Other Celebrities

First, shorten (and disable) WMI as needed. It requires director rights to be used on a system. Granting entrance usually to specific groups of director accounts that need to use WMI would assistance revoke risk of WMI attacks.

They also suggest regulating Microsoft’s apparatus that can snippet WMI activity. But, disabling WMI on machines that don’t need entrance to it and restricting it on those that do need it, will lessen a issue.

The easiest approach is to install MS17-010, a confidence patch that fixes EternalBlue vulnerability. Microsoft had expelled it in Mar this year and has given done it accessible for even a out-of-support Windows XP machines. This sold disadvantage was detected (and hidden) by a National Security Agency and afterwards leaked by a Shadow Brokers. The disadvantage has so distant been used in a series of opposite campaigns, including a WannaCry ransomware conflict and Petya ransomware.

Even if we aren’t disturbed about this cryptocurrency mining malware, installing a patch will assistance we equivocate any other EternalBlue-based malware families too.

About the Author

Leave a comment

XHTML: You can use these html tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>