Threat Management, Malware

New fileless cryptocurrency miner abuses WMI, leverages EternalBlue Windows exploit


A newly discovered fileless cryptocurrency miner has been targeting the Asia-Pacific region since July, leveraging the dangerous EternalBlue Windows SMB exploit to drop a backdoor while abusing Microsoft Windows Management Instrumentation as its persistence mechanism.

Microsoft describes WMI as a core Windows technology that can be used to manage both local and remote computers, while offering a consistent way to handle routine tasks using programming or scripting languages. The malware, dubbed TROJ64_COINMINER.QO, uses one particular scripting application, WMI Standard Event Consumer, to execute its scripts. explains Trend Micro in a Monday blog post that describes its researchers' findings.

Between July and August, Japan has seen the highest share of infections, at 43.05 percent, followed by Indonesia (approximately 21.36 percent), Taiwan (13.67 percent), Thailand (10.07 percent) and India (4.12 percent), Trend Micro reports.

A Windows system becomes infected when the attackers use EternalBlue to drop and execute a backdoor called BKDR_FORSHARE.A, which in turn installs malicious WMI scripts that connect to various command-and-control servers in order to download TROJ64_COINMINER.QO.

EternalBlue is believed to be an NSA exploit that was recently exposed in a leak by the Shadow Brokers hacking group. Even though Microsoft released a patch for the exploit last March, it has nevertheless been used to help spread various malware programs, including the notorious WannaCry ransomware and NotPetya faux ransomware disk wiper.

“The combination of fileless WMI scripts and EternalBlue makes this threat extremely stealthy and persistent,” the blog post warns, adding that the lack of malware files on a hard drive makes it more difficult to detect. Noting that this malware operation remains active, Trend Micro recommends that Windows users restrict or disable WMI as needed.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.