A newly discovered fileless cryptocurrency miner has been targeting the Asia-Pacific region since July, leveraging the dangerous EternalBlue Windows SMB exploit to drop a backdoor while abusing Microsoft Windows Management Instrumentation as its persistence mechanism.
Microsoft describes WMI as a core Windows technology that can be used to manage both local and remote computers, while offering a consistent way to handle routine tasks using programming or scripting languages. The malware, dubbed TROJ64_COINMINER.QO, uses one particular scripting application, WMI Standard Event Consumer, to execute its scripts. explains Trend Micro in a Monday blog post that describes its researchers' findings.
Between July and August, Japan has seen the highest share of infections, at 43.05 percent, followed by Indonesia (approximately 21.36 percent), Taiwan (13.67 percent), Thailand (10.07 percent) and India (4.12 percent), Trend Micro reports.
A Windows system becomes infected when the attackers use EternalBlue to drop and execute a backdoor called BKDR_FORSHARE.A, which in turn installs malicious WMI scripts that connect to various command-and-control servers in order to download TROJ64_COINMINER.QO.
EternalBlue is believed to be an NSA exploit that was recently exposed in a leak by the Shadow Brokers hacking group. Even though Microsoft released a patch for the exploit last March, it has nevertheless been used to help spread various malware programs, including the notorious WannaCry ransomware and NotPetya faux ransomware disk wiper.
“The combination of fileless WMI scripts and EternalBlue makes this threat extremely stealthy and persistent,” the blog post warns, adding that the lack of malware files on a hard drive makes it more difficult to detect. Noting that this malware operation remains active, Trend Micro recommends that Windows users restrict or disable WMI as needed.