Cryptocurrency Mining Malware CoinMiner Spreads Using NSA Exploit

Mining cryptocurrency can be extremely profitable, especially if you use someone else’s computer to avoid paying for expensive hardware or electricity. According to Japanese security firm Trend Micro, hackers have created malware known as CoinMiner that uses an exploit developed by the NSA to use victims’ computers to mine cryptocurrencies.

Cryptocurrency Mining Malware

According to reports, CoinMiner exploits a component in PCs known as Windows Management Instrumentation (WMI) and infects computers using an NSA tool called EternalBlue. This is the same tool that WannaCry used to infect computers all over the world.

Microsoft fixed the EternalBlue exploit through a patch released back in March, but users have been slow to update. Once the malware accesses a machine, it runs a backdoor and installs several WMI scripts that connect to its server, gather instructions, and then download the miner. WMI is a core Windows component used for management tasks such as monitoring disk space, and it can be secured.

After infecting a computer, the fileless malware essentially enslaves it and uses its power to mine cryptocurrencies for the hackers. CoinMiner has mostly been observed in Asian countries, predominantly Japan and Indonesia.

In a blog post, Trend Micro researcher Buddy Tancio stated:

“The combination of fileless WMI scripts and EternalBlue makes this threat extremely stealthy and persistent. Fileless malware can be a difficult threat to analyse.”

Tancio added that fileless attacks are becoming more common, and that legitimate tools and services, such as WMI, are increasingly being used in attacks. Notably, WMI malware was used in the infamous Stuxnet malware that caused substantial damage to Iran’s nuclear program.

According to Trend Micro, the new mining operation includes a timer that triggers the malicious WMI script every three hours, presumably to guarantee that infected computers keep mining.

Cryptocurrency mining malware is not new. Back in May, the Merkle wrote about Monero mining malware “Adylkuzz” and how it had prevented the WannaCry ransomware campaign from spreading even further. It stopped WannaCry by closing down SMB ports after infiltrating a computer. Closing those ports can also help avoid CoinMiner infections.

EternalBlue, the NSA exploit used to infect computers, was revealed as the driving force behind CoinMiner by the Shadow Brokers, a hacker group that has released several leaks containing NSA hacking tools, some even including zero-day exploits.

What Can be Done

CoinMiner only infects Windows machines, and Trend Micro offers a few suggestions to help keep users safe. IT administrators should restrict and disable WMI as needed so that only select administrators can use it. In fact, some computers do not need the WMI service, and Microsoft itself has a guide on how to stop it.

Given that EternalBlue is CoinMiner’s entry point, users should update their operating system, as a patch was released back in March. To avoid exposure to other types of malware, one’s software and other applications should continually be updated.