Jump to content

Win64/CoinMiner.ZF


Recommended Posts

 
image.png.aa34a22a7160a94576e6f04acdee7d56.png image.png.c61ea81d5f4e43200c448918e9724180.png
 

NEW NOTIFICATION

Malicious file Win64/CoinMiner.ZF was detected on computer ad02.musashi.co.th

Detection type: trojan
Detection name: Win64/CoinMiner.ZF
Computer name: ad02.musashi.co.th
Logged user: NT AUTHORITY\SYSTEM
User   :  NT AUTHORITY\SYSTEM
Time of occurrence: 12/7/20, 10:50:42 AM UTC+7
Scanner: Real-time file system protection
Action performed: cleaned by deleting
URL: file:///C:/Windows/system32/dfsvc.exe

 

PLEASE ADVISE HOW TO GET RID OF IT.

THANK!

image.png

Link to comment
Share on other sites

  • Administrators

Could you please manually run update and then reboot the machine? I assume that PowerShell/Agent.QR will be detected and cleaned by the startup scan in WMI.

Should the problem persist, please provide a log generated by Autoruns.

Link to comment
Share on other sites

  • ESET Staff

I agree with Marcos, this looks like a WMI persistent threat.  Manually telling ESET to update its detection engine, should correct the issue of the threat continually being detected.  Although, there is a good chance you may already have the update (ESET checks for these updates once per hour).

If this does not fix the issue, definitely generate an Autoruns log.

Lastly, its not uncommon for Servers to have been infected due to unexpected ports being exposed to the internet.  I highly recommend you audit your public IP Addresses with some simple nmap scans to verify what ports are exposed to the internet.

nmap -sV -Pn -F %PublicIPAddress%

Link to comment
Share on other sites

One of the better known WMI based coin miners is GhostMiner: https://www.trendmicro.com/en_us/research/19/i/fileless-cryptocurrency-miner-ghostminer-weaponizes-wmi-objects-kills-other-cryptocurrency-mining-payloads.html . However that puppy dropped an .exe in the Windows Temp directory.

Of interest in this Eset detection is the creation of dfsvc.exe in the Windows System32 directory. This exec is associated with .Net ClickOnce software; at least in its legit form.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...