Light Dark
January 8, 2019 By Douglas Bonderud 2 min read

Security researchers report that the newest version of NRSMiner crypto-mining malware is causing problems for companies that haven’t patched the EternalBlue exploit.

Last year, the EternalBlue exploit (CVE-2017-0144) leveraged Server Message Block (SMB) 1.0 flaws to trigger remote code execution and spread the WannaCry ransomware. Now, security research firm F-Secure reports that threat actors are using this exploit to infect unpatched devices in Asia with NRSMiner. While several countries including Japan, China and Taiwan have all been targeted, the bulk of attacks — around 54 percent — have occurred in Vietnam.

According to F-Secure, the newest version of NRSMiner has the capability to leverage both existing infections to update its code on host machines and intranet-connected systems to spread infections to machines that haven’t been patched with Microsoft security update MS17-010.

Eternal Issues Facing Security Professionals

In addition to its crypto-mining activities, the latest version of NRSMiner is also capable of downloading new versions of itself and deleting old files and services to cover its tracks. Using the WUDHostUpgrade[xx].exe module, NRSMiner actively searchers for potential targets to infect. If it detects the current NRSMiner version, WUDHostUpgrade deletes itself. If it finds a potential host, the malware deletes multiple system files, extracts its own versions and then installs a service named snmpstorsrv.

Although this crypto-mining malware is currently confined to Asia, its recent uptick serves as a warning to businesses worldwide that haven’t patched their EternalBlue vulnerabilities. While WannaCry infections have largely evaporated, the EternalBlue exploit/DoublePulsar backdoor combination remains an extremely effective way to deploy advanced persistent threats (APTs).

How to Curtail Crypto-Mining Malware Threats

Avoiding NRSMiner starts with security patching: Enterprises must ensure their systems are updated with MS17-010. While this won’t eliminate pre-existing malware infections, it will ensure no new EternalBlue exploits can occur. As noted by security experts, meanwhile, a combination of proactive and continual network monitoring can help identify both emerging threats and infections already present on enterprise systems. Organizations should also develop a comprehensive security framework that includes two-factor authentication (2FA), identity and access management (IAM), web application firewalls and reliable patch management.

EternalBlue exploits continue to cause problems for unpatched systems. Avoid NRSMiner and other crypto-mining malware threats by closing critical gaps, implementing improved monitoring strategies and developing advanced security frameworks.

 |  |  |  |  |  |  |  |  |  |  |  |  | 
Douglas Bonderud
Freelance Writer

More from

March 18, 2025

Bypassing Windows Defender Application Control with Loki C2

10 min read - Windows Defender Application Control (WDAC) is a security solution that restricts execution to trusted software. Since it is classified as a security boundary, Microsoft offers bug bounty payouts for qualifying bypasses, making it an active and competitive field of research.Typical outcomes of a WDAC bypass bug bounty submission:Bypass is fixed; possible bounty awardedBypass is not fixed but instead "mitigated" by being added to the WDAC recommended block list. Likely no bounty awarded but honorable mention is typically givenBypass is not…

March 4, 2025

FYSA — VMware Critical Vulnerabilities Patched

< 1 min read - SummaryBroadcom has released a security bulletin, VMSA-2025-0004, addressing and remediating three vulnerabilities that, if exploited, could lead to system compromise. Products affected include vCenter Server, vRealize Operations Manager, and vCloud Director.Threat TopographyThreat Type: Critical VulnerabilitiesIndustry: VirtualizationGeolocation: GlobalOverviewX-Force Incident Command is monitoring activity surrounding Broadcom’s Security Bulletin (VMSA-2025-0004) for three potentially critical vulnerabilities in VMware products. These vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, have reportedly been exploited in attacks. X-Force has not been able to validate those claims. The vulnerabilities…

February 21, 2025

SoaPy: Stealthy enumeration of Active Directory environments through ADWS

10 min read - Introduction Over time, both targeted and large-scale enumeration of Active Directory (AD) environments have become increasingly detected due to modern defensive solutions. During our internship at X-Force Red this past summer, we noticed FalconForce’s SOAPHound was becoming popular for enumerating Active Directory environments. This tool brought a new perspective to Active Directory enumeration by performing collection via Active Directory Web Services (ADWS) instead of directly through Lightweight Directory Access Protocol (LDAP) as other AD enumeration tools had in the past.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature