Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

MALXMR Cryptocurrency-mining Malware Information

    • Updated:
    • 13 Aug 2020
    • Product/Version:
    • Apex One 2019
    • OfficeScan All
    • Worry-Free Business Security Standard All
    • Platform:
Summary

Coinminer.Win64.MALXMR is a cryptocurrency-mining malware which exploited EternalBlue for propagation and abused Windows Management Instrumentation (WMI) for persistence. It uses the system's central processing unit (CPU) and/or graphical processing unit (GPU) resources to mine cryptocurrency.

The following can be observed during the infection:

  • High CPU Utilization either with powershell.exe or schtasks.exe
  • Monero.CryptoCurrency.Miner app detection from the network
  • Execution source can be identified during service installation.
     
    Some script might be obfuscated that might require you to do additional steps to identify the source of infection. Alternatively, if the execution is active, a wireshark capture can help filtering SMB traffic.
     
  • WMI powershell scripts on the DC server

Capabilities

  • Exploit
  • Persistence

Impact

  • Resource Hijacking

Malware routine can be found on the following virus reports:

Indicators of Compromise

Dfsvc.exe (0ebc0d640f67c1683ee851d2afb5c6e91c0bf82a) – Coinminer binary

xmr-eu1.nanopool.org:14444 - Coinminer site

xmr-asia1.nanopool.org:14444 - Coinminer site

xmr-us.west1.nanopool.org:14444 - Coinminer site

xmr-us.east1.nanopool.org:14444 - Coinminer site

xmr-eu2.nanopool.org:14444 - Coinminer site

DetectionsHash (SHA1)
Coinminer.Win64.MALXMR.TIAOODDG0ebc0d640f67c1683ee851d2afb5c6e91c0bf82a
Details
Public
TM DetectionOPR
Coinminer.Win64.MALXMR.TIAOODDG15.689.00
Behavioral Monitoring (AEGIS)Malware Behavior Blocking
Suspicious Connection (Network Content Inspection)Relevance Rule (MS17-010-SMB_REMOTE_CODE_EXECUTION_EXPLOIT_NC_)

Actions to Take:

Make sure that your product software is patched and up to date. Please refer to these KB articles:

Trend Micro Endpoint Product using best practice should be able to detect and clean this malware. Refer to the KB article, Best practices in configuring OfficeScan (OSCE) for malware protection, for more information.

For machines that are isolated or without agents installed, you can use ATTK online Clean Tool to clean the infected machine.

 
This malware uses EternalBlue exploit to propagate. It is recommended to Patch OS with MS-17-010 to prevent further damage/propagation.
This malware also spreads using a list of common passwords, guessing its way onto other connected systems in a brute-force attack, it is recommended to use complex password specially for Local/Domain Administrator.
 

Related Trend Micro blog:

Premium
Internal
Partner
Rating:
Category:
Remove a Malware / Virus
Solution Id:
000261917
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.