New Cryptocurrency Miner Uses WMI and EternalBlue

Researchers at Trend Micro have discovered a new cryptocurrency miner detected as TROJ64_COINMINER.QO which uses fileless malware techniques as this is a difficult threat to analyze and detect.

This variant was first seen affecting the Asia-Pacific region is July i.e. countries like Japan, Indonesia, Taiwan, Thailand &India.

This threat uses WMI (Windows Management Instrumentation) as its fileless persistence mechanism. Specifically, it used the WMI Standard Event Consumer scripting application (scrcons.exe) to execute its scripts. WMI is a core component of Windows, which is commonly used for day-to-day management tasks such as deploying automation scripts, running a process/program on a given time, get information about the installed applications or hardware, monitor for changes in a folder, and monitor disk space, among others.

To enter a system, the malware uses the EternalBlue vulnerability – MS17-010. The combination of fileless WMI scripts and EternalBlue makes this threat extremely stealthy and persistent.

The infection flow of this cryptocurrency miner malware has several stages. The infection flow starts with MS17-010; the vulnerability is used to drop and run a backdoor on the system (BKDR_FORSHARE.A), which installs various WMI scripts. These scripts then connect to its C&C servers to get instructions and download the cryptocurrency miner malware together with its components.


The following root/subscription classes are used to trigger the malicious WMI script when certain conditions are met:

  • ActiveScriptEventConsumer
  • __EventFilter
  • __IntervalTimerInstruction
  • __AbsoluteTimerInstruction
  • __FilterToConsumerBinding

The malicious WMI script can be found in an instance of the ActiveScriptEventConsumer class under the ROOT\subscription namespace. ActiveScriptEventConsumer is the persistence payload, which contains the instructions to execute when a condition is met.

Extracting the JScript from ActiveScriptEventConsumer class and analyzing the JScript revealed that the threat actors used multiple layers of C&C servers, allowing threat actors to update the appropriate servers and components used quickly. This will change the downloaded malicious files and allow attackers to avoid detection.

The first-stage C&C server located at hxxp://wmi[.]mykings[.]top:8888/test[.]html contains instructions on where to download the cryptocurrency miner and its components. This also contains the addresses of the second- and third-stage C&C servers. Our monitoring of the above URL shows that the operation is still active. As noted on the infection diagram, the actual coin-mining payload is downloaded by TROJ_COINMINER.AUSWQ. This was first hosted at hxxp://67[.]21[.]90[.]226:8888/, as seen from the contents of the URL. Recently, this URL was updated to change the target URL, although the file downloaded remained identical.

The further analysis discusses further classes here.


First, restrict (and disable) WMI as needed. It requires administrator rights to be used on a system. Granting access only to specific groups of administrator accounts that need to use WMI would help reduce risk of WMI attacks.

The entry point of this attack was EternalBlue, for which a patch has been available since March 2017. However, there are still a lot of machines exposed to this vulnerability.  Ensure that the operating system, software, and other applications are updated with the latest patches.



Author: Cognore

Cyber Security Solution

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s