According to the report from EDR Security, WMIXML mining malware have been detected in the intranet of an enterprise. The malware is hosted in the svchost.exe, which is system process in windows operation system and therefore hard to kill. Such virus is first spotted in China but it points to the most favorite cryptocurrency in botnet: Monero or XMR.

Unlike conventional mining viruses, the mining function of wmixml exists as a encrypted file rather than a regular stand-alone exe. On the infected host, there will be a virus dll loaded. After being loaded by the system process svchost.exe, it will read the encrypted file and decrypt it in memory, and then inject the mining program into another system process svchost.exe. Since the decryption action occurred in memory, a large number of antivirus engines have been bypassed.

Virus name: wmixml
Virus nature: New Type of Mining Virus
Scope of impact: The first case in the country has been discovered
Hazard rating: 2
Killing difficulty: extremely difficult

In another blog that seeks help to kill the virus, the author gave more detail regarding the wmixml:

“url”: “91.121.2.76:80”,
// URL of mining server pool.minexmr.com
“user”: “465Qh6sTNHzf5Tmn2NHTUrJau7QYxTRPr7qwAH3va68pYNXPyqT23oAAQWdvKBEr8wCVEZWHo8ce5e1yGLNfJ3sZHSVskP9.rg299”

EDR Security has released a detailed article explaining the injection process and some suggestions:

1) Isolate the infected host: The infected server should be isolated as soon as possible, shut down all network connections, disable the network adapter;
2) Confirm the number of infections: Scant the entire network to identify lurking infections.
3) Killing the virus. Botnet virus killing is recommended.
4) Patching vulnerabilities: If the intranet uses JBoss, please confirm the version and fix the related vulnerabilities.
5) Change Password: Weak password of host account is recommended to be changed into a strong one.