EternalBlue strikes again: Hackers are hijacking PCs with cryptocurrency malware using the WannaCry exploit

Victoria Woollaston August 23, 2017

The recent Shadow Brokers leak, which exposed a number of the National Security Agency’s spying tools, has a lot to answer for.

EternalBlue strikes again: Hackers are hijacking PCs with cryptocurrency malware using the WannaCry exploit

An exploit uncovered within the files has already been linked to the mass WannaCry outbreak that took down parts of the NHS in June, and now it’s reportedly to blame for a cryptocurrency mining malware hijacking PCs globally.

Security researchers from TrendMicro are calling this cryptocurrency mining malware family CoinMiner, and it’s a type of ‘fileless malware’ making it incredibly difficult to analyse and detect. As the name suggests, such malware threats are fileless, meaning it’s easier for them to hide on a network.

The particular threat identified by TrendMicro uses WMI (Windows Management Instrumentation) to sit on computers and networks. WMI is used to automate tasks on remote computers and lets users access management data from these computers. Specifically, CoinMiner uses the WMI Standard Event Consumer scripting application (scrcons.exe) and enters a system using the leaked EternalBlue vulnerability – MS17-010.

The so-called “infection flow” starts with MS17-010. This vulnerability is used to drop and run a backdoor on the system that installs various WMI scripts. These scripts link together to servers to get instructions and download the cryptocurrency miner malware.

“The combination of fileless WMI scripts and EternalBlue makes this threat extremely stealthy and persistent,” explains TrendMicro’s Buddy Tancio. Tancio continued that the mining malware includes a timer that automatically triggers the malicious WMI script every three hours.

wmi2

What is cryptocurrency-mining malware?

Cryptocurrency is an encrypted data string that denotes a unit of currency. It is monitored on a peer-to-peer system on the blockchain. Cryptocurrencies are created (and encrypted) in blocks using algorithms that are maintained using a technique known as mining. Miners are financially rewarded for mining these blocks, but the process involves a network of computers to validate transactions and is an incredibly computationally intensive task, requiring high-end processors and graphics cards, as well as a vast amount of power.

READ NEXT: What is the blockchain?

Cybercriminals use mining malware to connect hundreds and thousands of computers to networks to increase their yield from mining without having to invest in more hardware. In particular, cryptocurrency-mining malware is designed to “zombify” botnets of computers and is spread in a similar way to other threats, including spam emails and malicious URLs.

“We’ve seen the emergence of hacking tools and backdoors related to cybercriminal Bitcoin mining as early as 2011, and we’ve since seen a variety of cryptocurrency-mining threats that add more capabilities, such as distributed denial-of-service and URL spoofing,” TrendMicro’s threat analyst Kevin Y Huang said. “In 2014, the threat crossed over to Android devices as Kagecoin, capable of mining Bitcoin, litecoin, and dogecoin.”

What is EternalBlue?

EternalBlue is the name given to the software vulnerability in Microsoft’s Windows operating system. Microsoft issued a security update to fix the flaw in March (before the WannaCry ransomware struck).

It works by exploiting the Microsoft Server Message Block 1.0 across multiple version of Windows including Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012 and Windows Server 2012 R2, Windows RT 8.1, Windows 10 and Windows Server 2016.

Following the WannaCry attack, security experts at Eset built a free tool that will check to see if your Windows version is vulnerable to EternalBlue. It’s also worth staying up to date with software updates generally.

Image: TrendMicro