The IT security researchers at Fortinet have discovered a dangerous new malware that not only mines Monero cryptocurrency but also disables security features on the targeted Windows system – All this while it uses NSA’s (National Security Agency) exploits.
EternalBlue and EternalRomance exploits?
For those not aware of these exploits, in 2016-17, a group of hackers going by the online handle of Shadow Brokers leaked a number of zero-day exploits and hacking tools associated with the Equation Group, a group linked to the NSA’s Tailored Access Operations unit. One of the leaked folders contained EternalBlue and EternalRomance exploits – Both exploits were used in WannaCry and BadRabbit ransomware attacks.
In this case, the malware uses the EternalBlue exploit like its predecessors Adylkuzz, fileless malware WannaMine, Zealot, and Smominru.
As for the latest findings of Fortinet, the malware has been dubbed “PyRoMine” and considered dangerous since it is equipped with the ability to disable security features on the system to bypass any hurdle and spread itself without the victim’s knowledge.
The worse thing about PyRoMine is that it also enables Remote Desktop Protocol (RDP) on the system opening the targeted device to further attacks.
How PyRoMine spreads itself
The researchers came across the malware following a malicious URL with an executable .ZIP file containing PyInstaller, a program that freezes (packages) Python programs into stand-alone executables. This means attackers do not have to install Python to execute the program.
To make things easy for PyRoMine, the NSA’s EternalBlue exploit allows it to gain system privileges which allow attackers to gain full control of the system and mine Monero cryptocurrency by using the computing power of the device without raising any suspicion until the user notice surge in CPU usage on their device.
It must be noted that Monero mining starts when PyRoMine malware downloads a malicious VBScript.
“The malicious VBS file sets-up a Default account with password “P@ssw0rdf0rme” and adds this account to the local groups “Administrators,” “Remote Desktop Users,” and “Users.” It then enables RDP and adds a firewall rule to allow traffic on RDP port 3389,” wrote Jasper Manuel of Fortinet.
“It also stops the Windows Update Service and starts the Remote Access Connection Manager service. It then configures the Windows Remote Management Service to enable basic authentication and to allow the transfer of unencrypted data. This also opens the machine for possible future attacks.”
PyRoMine doing the profitable job for attackers
As of now, according to Fortinet researchers, a look at attackers’ Monero address, the malware has done a reasonable job for the attackers by making 2.4 in Moero coin which at the time of publishing this article was worth $630.
However, researchers believe that this is just one address and there can be many others, therefore, it is unclear how much more money the attackers have made so far.
How to detect PyRoMine and avoid its installation
If you are a Windows user, it is advised to install the security patch issued by Microsoft which addresses the vulnerability exploited by NSA’s EternalBlue exploit. On the other hand, Fortinet not only detects PyRoMine malware but its web filter service also blocks the malicious URL used by attackers to spread the infection.
Additionally, keep your system updated, use an anti-virus program and run a scan on daily bases. Stay safe online.
Image credit: Depositphotos