EternalBlue is to blame. yet again!
A fresh malware is using the leaked NSA exploit, EternalBlue, to infect Windows machines and hijack them to work on cryptocurrency mining. Security researchers are calling this cryptocurrency mining malware family CoinMiner.
The malware is hard to detect or zekering since it uses several technics to persist on an infected machine. Very first, it uses the EternalBlue exploit to build up entry into a vulnerable Windows system and then uses the WMI (Windows Management Instrumentation) toolkit to run malicious instructions.
WMI is used to automate administrative tasks on remote computers and offers the capability to obtain management gegevens from remote computers. But, ter this case, once CoinMiner gets access to a system using EternalBlue, the infected machine runs several WMI scripts ter the background, including connecting to the attacker’s C&,C to download the mining malware.
The first-stage C&,C server located at hxxp://wmi[.]mykings[.]top:8888/test[.]html contains instructions on where to download the cryptocurrency miner and its components. This also contains the addresses of the second- and third-stage C&,C servers.
Our monitoring of the above URL shows that the operation is still active. Spil noted on the infection diagram, the actual coin-mining payload is downloaded by TROJ_COINMINER.AUSWQ.
Trend Micro wrote te their research that “the combination of fileless WMI scripts and EternalBlue makes this threat enormously stealthy and persistent.”
Mitigation and how to avoid falling for this cryptocurrency mining malware
The security researchers have advised the IT administrators to restrict WMI access.
Very first, restrict (and disable) WMI spil needed. It requires administrator rights to be used on a system. Granting access only to specific groups of administrator accounts that need to use WMI would help reduce risk of WMI attacks.
They also recommend using Microsoft’s implement that can trace WMI activity. However, disabling WMI on machines that don’t need access to it and restricting it on those that do need it, will mitigate the punt.
The easiest way is to install MS17-010, a security patch that fixes the EternalBlue vulnerability. Microsoft had released it ter March this year and has since made it available for even the out-of-support Windows XP machines. This particular vulnerability wasgoed discovered (and hidden) by the National Security Agency and then leaked by the Shadow Brokers. The vulnerability has so far bot used ter a number of different campaigns, including the WannaCry ransomware outbreak and Petya ransomware.
Even if you aren’t worried about this cryptocurrency mining malware, installing the patch will help you avoid any other EternalBlue-based malware families too.