Fileless Cryptocurrency Mining Malware Spreads via EternalBlue and WMI
Cybersecurity firm TrendMicro discovered a cryptocurrency mining malware variant that uses the EternalBlue vulnerability, MS17-010, to infect systems and Windows Management Instrumentation (WMI) for fileless persistence in an attempt to evade detection and analysis. The variant currently associated with this infection vector is identified by TrendMicro as TROJ64_COINMINER.QO. The NJCCIC assesses with high confidence that profit-motivated hackers will continue to use this and other methods of network intrusion for the purpose of conducting their cryptocurrency mining operations. To protect against this threat, the NJCCIC recommends disabling unneeded instances of WMI and tightly restricting access to required instances, following the Principle of Least Privilege on all user accounts, and closely monitoring systems and network traffic for associated indicators of compromise (IoCs). For a full analysis of TROJ64_COINMINER.QO, including IoCs, please see TrendMicro’s TrendLabs Security Intelligence Blog. For more information on fileless intrusion tactics, please see our Threat Analysis titled, Fileless: Evasive Intrusion Tactics Pose Challenge for Network Defense. For more information on cryptocurrency mining detection strategies, please review the SANS Institute whitepaper Detecting Cryptocurrency Mining in Corporate Environments.