Coinminer.Win64.MALXMR is a cryptocurrency-mining malware which exploited EternalBlue for propagation and abused Windows Management Instrumentation (WMI) for persistence. It uses the system's central processing unit (CPU) and/or graphical processing unit (GPU) resources to mine cryptocurrency.
The following can be observed during the infection:
- High CPU Utilization either with powershell.exe or schtasks.exe
- Monero.CryptoCurrency.Miner app detection from the network
- Execution source can be identified during service installation.
Some script might be obfuscated that might require you to do additional steps to identify the source of infection. Alternatively, if the execution is active, a wireshark capture can help filtering SMB traffic.
- WMI powershell scripts on the DC server
- Resource Hijacking
Malware routine can be found on the following virus reports:
Indicators of Compromise
Dfsvc.exe (0ebc0d640f67c1683ee851d2afb5c6e91c0bf82a) – Coinminer binary
xmr-eu1.nanopool.org:14444 - Coinminer site
xmr-asia1.nanopool.org:14444 - Coinminer site
xmr-us.west1.nanopool.org:14444 - Coinminer site
xmr-us.east1.nanopool.org:14444 - Coinminer site
xmr-eu2.nanopool.org:14444 - Coinminer site
|Behavioral Monitoring (AEGIS)||Malware Behavior Blocking|
|Suspicious Connection (Network Content Inspection)||Relevance Rule (MS17-010-SMB_REMOTE_CODE_EXECUTION_EXPLOIT_NC_)|
Actions to Take:
Make sure that your product software is patched and up to date. Please refer to these KB articles:
- SECURITY BULLETIN: Directory Traversal Vulnerability in Trend Micro Apex One, OfficeScan and Worry-Free Business Security
- SECURITY BULLETIN: Multiple Critical Vulnerabilities in Trend Micro Apex One and OfficeScan
Trend Micro Endpoint Product using best practice should be able to detect and clean this malware. Refer to the KB article, Best practices in configuring OfficeScan (OSCE) for malware protection, for more information.
For machines that are isolated or without agents installed, you can use ATTK online Clean Tool to clean the infected machine.
This malware also spreads using a list of common passwords, guessing its way onto other connected systems in a brute-force attack, it is recommended to use complex password specially for Local/Domain Administrator.
Related Trend Micro blog: