Coin miners remediation workflow

Follow these steps to remediate a coin miner attack.

Introduction

Coin miners are executable files that steal CPU cycles and RAM to do the mining calculations for various cryptocurrencies. These malware variants are usually very stealthy because they don’t want to cause explicit harm, so they can keep the mining in the background on a device. The most common symptom is a significant degradation in a device's performance.

Confirm if it's a coin miner

First, you need to determine if you're dealing with a coin miner or some other Windows Management Instrumentation (WMI) persistence based infection. To confirm you have a coin miner infection, do as follows:

Use Microsoft Autoruns to find the infection. See How to use Microsoft Autoruns to locate undetected malware.

An entry shows in the WMI tab.

The screenshot below shows an example of a coin miner.

Update and patch your systems

Make sure that all your devices have the latest Windows security patches. You must make sure that you include the patch for the EternalBlue exploit.

EternalBlue is an exploit that takes advantage of a vulnerability in Microsoft SMB, which was used notably by the WannaCry ransomware to spread. Various malware families now use it. Patching devices and removing this infection vector makes it harder for coin miners and protects you against other malware using EternalBlue.

Microsoft released the patch for EternalBlue in Microsoft update: MS17-010. The official Microsoft article explains how to verify if a computer has the patch. See How to verify that MS17-010 is installed.

Sophos has a simple PowerShell script that you can run on individual devices to confirm if they have the patch. For more information about this, see How to Verify if a Machine is Vulnerable to EternalBlue - MS17-010.

To patch and update your devices, do as follows:

Check if your devices are vulnerable to EternalBlue.
Update your devices with the latest Windows security patches.
Use these PowerShell commands to pull event filter, event consumer and filter consumer binding information from the WMI database.
- wmic /namespace:\\root\subscription PATH __EventFilter get/format:list > C:\EventFilter.txt
- wmic /namespace:\\root\subscription PATH __EventConsumer get/format:list > C:\EventConsumer.txt
- wmic /namespace:\\root\subscription PATH __FilterToConsumerBinding get/format:list > C:\FilterToConsumerBinding.txt
Zip the resulting .txt files generated in C:\ and rename it to [Machine_Name_WMI].zip.

Check your files against these examples from a clean device.

EventFilter.txt

CreatorSID={1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0}
EventAccess=
EventNamespace=root\cimv2
Name=SCM Event Log Filter
Query=select * from MSFT_SCMEventLogEvent
QueryLanguage=WQL

EventConsumer.txt

Category=0
CreatorSID={1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0}
EventID=0
EventType=1
InsertionStringTemplates={""}
MachineName=
MaximumQueueSize=
Name=SCM Event Log Consumer
NameOfRawDataProperty=
NameOfUserSIDProperty=sid
NumberOfInsertionStrings=0
SourceName=Service Control Manager
UNCServerName=

FilterToConsumerBinding.txt

Consumer="NTEventLogEventConsumer.Name="SCM Event Log Consumer""
CreatorSID={1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0}
DeliverSynchronously=FALSE
DeliveryQoS=
Filter="__EventFilter.Name="SCM Event Log Filter""
MaintainSecurityContext=FALSE
SlowDownProviders=FALSE

If your files contain different or more entries than those shown for a clean device, use these scripts to clean them.

Find the appropriate information in the bold text and replace the required information in the following scripts and run them.

Get-WMIObject -Namespace root\Subscription -Class __EventFilter -filter "Name= 'SCM Event Log Filter'" | Remove-WMIObject  -Verbose
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='SCM Events Log Consumer'" | Remove-WMIObject -Verbose
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE "Filter=""__EventFilter.Name='SCM Events Log Filter'""" DELETE

Find the coin miner

A coin miner is either an executable file or a script in the form of a scheduled task or WMI entry.

Use Microsoft Autoruns to determine what type of coin miner you have.
If you have a malicious executable file, submit a sample. See Submit a Sample.

When the signatures have been updated and released, Sophos automatically cleans it from all devices.

If you can't find the executable file, contact Sophos MTR Rapid Response.
If you have a script, use the following articles to help deal with it.
- How to investigate WannaMine - CryptoJacking Worm
- How to remove WMI based JavaScript CoinMiner
- Lemon_Duck PowerShell malware cryptojacks enterprise networks – Sophos News: This article contains useful information if the coin miner is using scheduled tasks.

Delete the coin miner

If you have a malicious executable file, you need to remove it.

Delete the detected files on all the infected devices.

Coin miner remediation video

This video covers this workflow.