Cryptocurrency Miner Infects Windows PCs via EternalBlue and WMI
By Catalin Cimpanu | August 22, 2017
A new malware family detected under the name of CoinMiner is causing users and security firms alike loads of problems, being hard to stop or detect due to the combination of various unique features.
The malware — a cryptocurrency miner — uses the EternalBlue NSA exploit to infect victims and the WMI (Windows Management Instrumentation) toolkit as a method to run commands on infected systems.
In addition, CoinMiner also runs in memory (fileless malware), and uses multiple layers of command and control servers to deploy the multitude of scripts and components it needs to infect victims.
All of these make a deadly mixture of features that spell trouble for outdated machines and systems running antivirus solutions not up to par with the latest infection techniques.
…
Users should make sure they have the MS17-010 Microsoft security patch installed, or at least disable the SMBv1 protocol on their systems, so CoinMiner won’t have any way of reaching their computers… Trend Micro, the company that discovered CoinMiner this week, recommends disabling WMI on systems where it’s not needed, or at least restricting WMI access to only one admin account, accessible to IT staff only.
Read the full article on bleepingcomputer.com
From msdn.microsoft.com:
Starting and Stopping the WMI Service
Stopping Winmgmt Service:
The following procedure describes how to stop the WMI Service.
To stop Winmgmt Service
– At a command prompt, enter net stop winmgmt.
– Other services that are dependent on the WMI service also halt, such as SMS Agent Host or Windows Firewall.
