The infection flow of this cryptocurrency miner malware has several stages.
The infection flow starts with MS17-010; the vulnerability is used to drop and run a backdoor on the system (BKDR_FORSHARE. These scripts then connect to its C&C servers to get instructions and download the cryptocurrency miner malware together with its components.
It checks what Windows event in __Event Filter will be executed together with the script in __Active Script Event Consumer.” There are two areas where IT administrators can learn from this attack and improve their defenses. It requires administrator rights to be used on a system.
This will change the downloaded malicious files and allow attackers to avoid detection.
We recently found a new cryptocurrency miner (which we detect as TROJ64_COINMINER. We first saw this particular variant affecting the Asia-Pacific region in July.