Cyber security firm Trend Micro’s research team has identified that the latest breed of cryptocurrency miner operates as a fileless malware, which means the malware exists in the memory of the infected system only. Its key targets are Windows based systems, and it uses the EternalBlue exploit to gain access to the system and being a fileless malware it becomes relatively much easy to avoid detection.
The Eternalblue vulnerability is the same that was used in the WannaCry ransomware back in May and in a mass ransomware campaign known as Petya, NotPetya, and GoldenEye which targeted European regions in June.
According to the blog post from Trend Micro, the miner so far is affecting systems located in the Asia Pacific region while the major target countries include Thailand, Indonesia, Japan, Taiwan, and India. The research team identified the miner in July.
Reportedly, the malware utilized a core component of Windows OS called the Windows Management Instrumentation (WMI). It is used for performing daily management tasks. The infection enters a system via EternalBlue vulnerability, as a backdoor on Windows OS and they install numerous WMI scripts. These scripts are then linked with the attacker’s C&C server to receive further instructions and download the cryptocurrency miner malware.
Microsoft has advised system administrators to limit and disable WMI to prevent the malware from infecting the system. It is not a difficult task since the company maintains that not every system needs the WMI service; so if WMI access is not needed it is better to disable it in order to eliminate the risk.
A tool has also been provided by Microsoft that can trace WMI activity, and a quick guide on stopping the WMI service for good is also available. To further reduce the probability of infection the company advises to disable SMBv1 as well. A patch for the EternalBlue vulnerability has already been released in March 2017.
Trend Micro stated that there are still a large number of systems that are at risk. It is, according to the security firm, important that users make sure “the operating system, software, and other applications are updated with the latest patches deters threats from using security gaps as their doorways into systems and networks.”
It is indeed a reality that Fileless malware is a complicated threat because it makes it very difficult to detect and carry out forensic investigations. This is why nowadays, threat actors are producing fileless malware threats in large proportions.
Users need to search the hard drive for the presence of malicious files, but even that isn’t enough because you will only capture systems memory. However, some Windows artifacts like Shimcache, prefetch or muicache may offer clues for investigation. You can also configure Windows event logs to track system activity and provide helpful information.