A notorious computer exploit allegedly leaked from the US National Security Agency (NSA) is being used to boost the spread of a new cryptocurrency-generating malware dubbed "CoinMiner", according to experts at Japanese security firm Trend Micro.
The threat exploits a component in PCs known as "Windows Management Instrumentation" (WMI) and enters computers with an alleged NSA tool called EternalBlue – previously used by hackers to help spread the "WannaCry" ransomware across the world earlier this year.
The ultimate aim of the so-called "fileless malware" is to enslave a victim's machine and use its computing power to generate bitcoin, a form of digital cash.
The hackers' servers are still being updated, meaning the attack remains active at the time of writing.
To date, the campaign has been observed in countries including Japan, Indonesia, Taiwan, Thailand and India.
"The combination of fileless WMI scripts and EternalBlue makes this threat extremely stealthy and persistent," wrote Trend Micro researcher Buddy Tancio in a blog post this week (21 August). "Fileless malware can be a difficult threat to analyse."
The infection follows several stages. First, the hackers deploy the EternalBlue exploit to infect the machine, before using the backdoor to install malicious scripts.
These scripts connect to the culprit's servers, gather instructions and download the crypto miner.
WMI is a core Windows component typically used for management tasks such as monitoring disk space and compiling information about installed applications. But in the hands of a cybercriminal, Trend Micro warned, it can be used for malicious purposes.
The exploit only targets machines running Microsoft's Windows operating system (OS).
A patch for the bug that EternalBlue exploits has been available since March 2017, but many users have been slow to update. As noted, it first hit the headlines back in May after cybercriminals used it to spread the "WannaCry" ransomware to 300,000 computers in 150 countries.
"Fileless attacks are becoming more common," Tancio warned in the Trend Micro blog.
He added: "Threat actors are increasingly using attack methods that work directly from memory and use legitimate tools or services.
"In this case, WMI subscriptions have been used by this cryptocurrency-mining malware as its fileless persistence mechanism."
It seems that hackers specialising in crypto-mining malware are adapting to change.
On 15 May this year, experts from cybersecurity firm Proofpoint revealed evidence that two alleged NSA exploits - "EternalBlue" and "DoublePulsar" – were aiding the spread of "Adylkuzz", a new variant of malware that was mining Monero, another popular form of digital money.
Kaspersky Lab detects the new CoinMiner malware as: "Trojan.Win64.BitMiner".