The IT security researchers at Fortinet have found a dangerous new malware that not only mines Monero cryptocurrency however also disables security features on the targeted Windows system – All of this, while it uses the NSA’s (National Security Agency) exploits.
EternalRomance & EternalBlue Exploits?
For those who are not aware of these exploits, in 2016-17, a group of hackers going by the online moniker of Shadow Brokers leaked a number of zero-day exploits as well as hacking tools associated with the Equation Group, a group linked to the NSA’s Tailored Access Operations division. One of the leaked folders contained EternalRomance and EternalBlue exploits – Both exploits were used in WannaCry and BadRabbit ransomware attacks.
In this instance, the malware uses the EternalBlue exploit like its predecessors Adylkuzz, the fileless malware WannaMine, Zealot, and Smominru.
The PyRoMine Malware
As for the latest findings of Fortinet, the malware has been named “PyRoMine” and is considered dangerous since it is equipped with the ability to disable security features on the infected system to bypass any obstacle and spread itself without the knowledge of the victim.
It also enables Remote Desktop Protocol on the system opening the targeted device to further attacks.
The researcher team came across the malware following a malicious URL with an executable .ZIP file containing PyInstaller, a program that freezes (i.e packages) Python programs into stand-alone executable files. This means attackers do not have to install Python to execute the program.
To make things easier for PyRoMine, the NSA’s EternalBlue exploit allows irt to gain system privileges which allow attackers to gain full control of the system and mine Monero cryptocurrency by using the computing power of the device without raising any suspicions until the user notices surges in CPU usage on their device.
It should be noted that Monero mining starts when PyRoMine malware downloads a malicious VBScript.
“The malicious VBS file then sets-up a Default account with password “P@ssw0rdf0rme” and adds this account to the local groups “Administrators,” “Remote Desktop Users,” & “Users.” It then enables RDP and then adds a firewall rule to allow traffic on RDP port 3389,” wrote Fortinet.
“It also stops the Windows Update Service and then starts the Remote Access Connection Manager service. It then configures the Windows Remote Management Service to enable basic authentication as well as to allow the transfer of unencrypted data.”
PyRoMine: A Profitable Job For Attackers
As of now, according to Fortinet researchers, a look at attackers’ Monero address, the malware has done a reasonable job for the attackers by making 2.4 in Moero coin which at the time of publishing this article was worth $630.
How To Detect PyRoMine (And Avoid Its Installation)
If you are a Windows user, its advised to install the security patch issued by Microsoft which addresses the vulnerability exploited by NSA’s EternalBlue exploit. Even still, Fortinet not only detects PyRoMine malware but its web filter service also blocks the malicious URL used by attackers to spread the virus.
In closing, we at CBNN advise you to keep your system updated, use an anti-virus program and run a scan on a daily basis.