• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • March 6th, 2021
  • Home
  • Advertise
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
Home
Security
Malware

PyRoMine malware disables security & mines Monero using NSA exploits

April 25th, 2018 Waqas Security, Malware 0 comments
PyRoMine malware disables security & mines Monero using NSA exploits
Share on FacebookShare on Twitter

The IT security researchers at Fortinet have discovered a dangerous new malware that not only mines Monero cryptocurrency but also disables security features on the targeted Windows system – All this while it uses NSA’s (National Security Agency) exploits.

EternalBlue and EternalRomance exploits?

For those not aware of these exploits, in 2016-17, a group of hackers going by the online handle of Shadow Brokers leaked a number of zero-day exploits and hacking tools associated with the Equation Group, a group linked to the NSA’s Tailored Access Operations unit. One of the leaked folders contained EternalBlue and EternalRomance exploits – Both exploits were used in WannaCry and BadRabbit ransomware attacks.

In this case, the malware uses the EternalBlue exploit like its predecessors Adylkuzz, fileless malware WannaMine, Zealot, and Smominru.

PyRoMine malware

As for the latest findings of Fortinet, the malware has been dubbed “PyRoMine” and considered dangerous since it is equipped with the ability to disable security features on the system to bypass any hurdle and spread itself without the victim’s knowledge.

The worse thing about PyRoMine is that it also enables Remote Desktop Protocol (RDP) on the system opening the targeted device to further attacks.

How PyRoMine spreads itself

The researchers came across the malware following a malicious URL with an executable .ZIP file containing PyInstaller, a program that freezes (packages) Python programs into stand-alone executables. This means attackers do not have to install Python to execute the program.

To make things easy for PyRoMine, the NSA’s EternalBlue exploit allows it to gain system privileges which allow attackers to gain full control of the system and mine Monero cryptocurrency by using the computing power of the device without raising any suspicion until the user notice surge in CPU usage on their device.

It must be noted that Monero mining starts when PyRoMine malware downloads a malicious VBScript.

“The malicious VBS file sets-up a Default account with password “P@ssw0rdf0rme” and adds this account to the local groups “Administrators,” “Remote Desktop Users,” and “Users.” It then enables RDP and adds a firewall rule to allow traffic on RDP port 3389,” wrote Jasper Manuel of Fortinet.

“It also stops the Windows Update Service and starts the Remote Access Connection Manager service. It then configures the Windows Remote Management Service to enable basic authentication and to allow the transfer of unencrypted data. This also opens the machine for possible future attacks.”

PyRoMine doing the profitable job for attackers

As of now, according to Fortinet researchers, a look at attackers’ Monero address, the malware has done a reasonable job for the attackers by making 2.4 in Moero coin which at the time of publishing this article was worth $630.

PyRoMine malware disables security & mine Monero using NSA exploits

Image credit: Fortinet

However, researchers believe that this is just one address and there can be many others, therefore, it is unclear how much more money the attackers have made so far.

How to detect PyRoMine and avoid its installation

If you are a Windows user, it is advised to install the security patch issued by Microsoft which addresses the vulnerability exploited by NSA’s EternalBlue exploit. On the other hand, Fortinet not only detects PyRoMine malware but its web filter service also blocks the malicious URL used by attackers to spread the infection.

Additionally, keep your system updated, use an anti-virus program and run a scan on daily bases. Stay safe online.

Image credit: Depositphotos

  • Tags
  • Cryptocurrency
  • Cyber Attack
  • EternalBlue
  • EternalRomance
  • Malware
  • Monero
  • NSA
  • security
  • Windows
Facebook Twitter LinkedIn Pinterest
Previous article Bitcoin Ransomware Hits Ukraine's Ministry of Energy website
Next article Thousands of Android apps for kids are secretly tracking their activities
Waqas

Waqas

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Related Posts
Microsoft, FireEye report 3 new malware linked to SolarWinds hackers

Microsoft, FireEye report 3 new malware linked to SolarWinds hackers

Threat actors hijacking Bitbucket and Docker Hub for Monero mining

Threat actors hijacking Bitbucket and Docker Hub for Monero mining

IT Security firm Qualys extorted by Clop gang after data breach

IT Security firm Qualys extorted by Clop gang after data breach

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

Latest Posts
Microsoft, FireEye report 3 new malware linked to SolarWinds hackers
Cyber Attacks

Microsoft, FireEye report 3 new malware linked to SolarWinds hackers

Threat actors hijacking Bitbucket and Docker Hub for Monero mining
Security

Threat actors hijacking Bitbucket and Docker Hub for Monero mining

Top Russian hacker forums Maza, Verified hacked; data leaked online
Hacking News

Top Russian hacker forums Maza, Verified hacked; data leaked online

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us