U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Fileless cryptocurrency miner CoinMiner uses NSA EternalBlue exploit to spread

A new fileless miner dubbed CoinMiner appeared in the wild, it uses NSA EternalBlue exploit and WMI tool to spread. A new strain of Cryptocurrency Miner dubbed CoinMiner appeared in the wild and according to the experts it is hard to detect and infects Windows PCs via EternalBlue NSA exploit. CoinMiner is a fileless malware that leverages the WMI […]

Fileless cryptocurrency miner CoinMiner uses NSA EternalBlue exploit to spread

A new fileless miner dubbed CoinMiner appeared in the wild, it uses NSA EternalBlue exploit and WMI tool to spread.

A new strain of Cryptocurrency Miner dubbed CoinMiner appeared in the wild and according to the experts it is hard to detect and infects Windows PCs via EternalBlue NSA exploit.

CoinMiner is a fileless malware that leverages the WMI (Windows Management Instrumentation) toolkit as a method to run commands on infected systems.

“This threat uses WMI (Windows Management Instrumentation) as its fileless persistence mechanism. Specifically, it used the WMI Standard Event Consumer scripting application (scrcons.exe) to execute its scripts. To enter a system, the malware uses the EternalBlue vulnerability – MS17-010. The combination of fileless WMI scripts and EternalBlue makes this threat extremely stealthy and persistent.” reads the analysis published by Trend Micro.

The analysis of the JScript revealed that the attackers used multiple layers of C&C servers to quickly update the appropriate servers and components and to avoid detection.

CoinMiner is not the first miner that leverages the EternalBlue exploit to infect victims, on May security experts at ProofPoint discovered that many machines weren’t infected by WannaCry because they were previously infected by the Adylkuzz miner.

Trend Micros shared best practices to avoid being infected with CoinMiner, for example in order to prevent the malware spreading through the exploitation of the EternalBlue, users should check they have installed the MS17-010 Microsoft security patch, or disable the SMBv1 protocol on their systems.

We said the CoinMiner leverages WMI in the attack chain to download scripts and other components needed to get persistence on the infected machine and to download and launch the CoinMiner binary.

CoinMiner

Disabling WMI on systems, or at least restricting WMI access, could be efficient in contrasting the threat.

Microsoft provided instructions for disabling SMBv1 and WMI:

Further details about CoinMiner are available in the report published by Trend Micro.

[adrotate banner=”9″] [adrotate banner=”12″]  

 

Pierluigi Paganini

(Security Affairs – CoinMiner, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]