MALXMR Cryptocurrency-mining Malware Information

Product / Version includes:

Apex One2019 , Worry-Free Business Security StandardAll

Last updated: 2021/08/28

Solution ID: KA-0010795

Category: Remove a Malware / Virus

Summary

Coinminer.Win64.MALXMR is a cryptocurrency-mining malware which exploited EternalBlue for propagation and abused Windows Management Instrumentation (WMI) for persistence. It uses the system's central processing unit (CPU) and/or graphical processing unit (GPU) resources to mine cryptocurrency.

The following can be observed during the infection:

High CPU Utilization either with powershell.exe or schtasks.exe
Monero.CryptoCurrency.Miner app detection from the network
Execution source can be identified during service installation.

Some script might be obfuscated that might require you to do additional steps to identify the source of infection. Alternatively, if the execution is active, a wireshark capture can help filtering SMB traffic.
WMI powershell scripts on the DC server

Capabilities

Exploit
Persistence

Impact

Resource Hijacking

Malware routine can be found on the following virus reports:

Threat Encyclopedia: Coinminer.Win64.MALXMR.TIAOODBZ

Indicators of Compromise

Dfsvc.exe (0ebc0d640f67c1683ee851d2afb5c6e91c0bf82a) – Coinminer binary

xmr-eu1.nanopool.org:14444 - Coinminer site

xmr-asia1.nanopool.org:14444 - Coinminer site

xmr-us.west1.nanopool.org:14444 - Coinminer site

xmr-us.east1.nanopool.org:14444 - Coinminer site

xmr-eu2.nanopool.org:14444 - Coinminer site

Detections	Hash (SHA1)
Coinminer.Win64.MALXMR.TIAOODDG	0ebc0d640f67c1683ee851d2afb5c6e91c0bf82a

TM Detection	OPR
Coinminer.Win64.MALXMR.TIAOODDG	15.689.00
Behavioral Monitoring (AEGIS)	Malware Behavior Blocking
Suspicious Connection (Network Content Inspection)	Relevance Rule (MS17-010-SMB_REMOTE_CODE_EXECUTION_EXPLOIT_NC_)

Actions to Take:

Make sure that your product software is patched and up to date. Please refer to these KB articles:

Trend Micro Endpoint Product using best practice should be able to detect and clean this malware. Refer to the KB article, Best practices in configuring OfficeScan (OSCE) for malware protection, for more information.

For machines that are isolated or without agents installed, you can use ATTK online Clean Tool to clean the infected machine.

This malware uses EternalBlue exploit to propagate. It is recommended to Patch OS with MS-17-010 to prevent further damage/propagation.
This malware also spreads using a list of common passwords, guessing its way onto other connected systems in a brute-force attack, it is recommended to use complex password specially for Local/Domain Administrator.

Related Trend Micro blog:

Cryptocurrency Miner Uses WMI and EternalBlue To Spread Filelessly

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

MALXMR Cryptocurrency-mining Malware Information

MALXMR Cryptocurrency-mining Malware Information

Product / Version includes:

Summary