Two features in particular make this malware, known as Coinminer, "extremely stealthy and persistent", according to malware researchers at Trend Micro.
To infect Windows machine, it's using the so-called EternalBlue vulnerability employed by WannaCry and NotPetya as a spreading mechanism. Microsoft released a patch for the flaw in March but a spate of infections in Asia, mostly in Japan, suggest some systems have not been updated.
On machines vulnerable to this bug, the malware runs a backdoor that installs several Windows Management Instrumentation (WMI) scripts that run in memory, which makes them more difficult to detect.
IT admins can use WMI to run scripts that automate administrative tasks on remote computers and acquire management data from these computers and installed Windows applications.
However, in this case the cryptocurrency mining malware uses WMI for more nefarious purposes, including connecting to the attacker's command-and-control domains to download the mining software and malware.
WMI malware isn't new and was used in the infamous Stuxnet malware. FireEye has also found an advanced hacker group APT29 using WMI capabilities to create persistent and stealthy backdoors by automatically triggering a backdoor when a system starts up.