Home > Cyber News > PyRoMine Utilizes EternalBlue Exploit, Disables Security Features

PyRoMine Utilizes EternalBlue Exploit, Disables Security Features

Cryptomining malware has dethroned ransomware as the number one cyber threat, and as such, it is evolving rapidly. That being said, a Python-based Monero miner using stolen NSA exploits and disabling security features has been discovered by security researchers.

Related Story: Q1 2018 Malware Report: Ransomware Dethroned by Cryptominers

In 2016, a group calling themselves the Shadow Brokers leaked a number of hacking tools and zero-day exploits attributed to the threat actors known as the Equation Group, a group which has has been tied to the National Security Agency’s (NSA) Tailored Access Operations unit,” Fortinet researchers said. Later on in April 2017, the hackers released several weaponized exploits like ETERNALBLUE and ETERNALROMANCE.

The two exploits were aimed at Windows versions XP/Vista/8.1/7/10 and Windows Server 2003/2008/2012/2016. More specifically, these exploits took advantage of CVE-2017-0144 and CVE-2017-0145, patched with the MS17-010 security bulletin.

Apparently, the ETERNALBLUE exploit is now being utilized in cryptomining malware such as Adylkuzz, Smominru and WannaMine, researchers found out. The new piece of cryptomining malware was dubbed PyRoMine. Researchers came across the malware after landing on a suspicious URL that led to a zip file containing an executable with PyInstaller.

This is what Jasper Manuel from Fortinet shared in terms of discovering the new malware:

I originally came upon the malicious URL hxxp:// where this malware can be downloaded as a zip file. This file contains an executable file compiled with PyInstaller, which is a program that packages programs written in Python into stand-alone executables. This means that there is no need to install Python on the machine in order to execute the Python program.

In order to extract and analyze the Python script and the packages it uses, the researcher utilized a tool in PyInstaller dubbedpyi-archive_viewer. Using pyi-archive_viewer, he was able to extract the main file, named “controller.”

PyRoMine is not the first cryptominer that uses previously leaked NSA exploits to aid their further distribution across computers. Any Windows system that has not applied the Microsoft patch for the exploit is vulnerable to PyRoMine and similar malware pieces.

This malware is a real threat as it not only uses the machine for cryptocurrency mining, but it also opens the machine for possible future attacks since it starts RDP services and disables security services, the researcher noted. Users who haven’t downloaded Microsoft’s patch for the CVE-2017-0144 and CVE-2017-0145 vulnerabilities should do it as soon as possible from here.

Related Story: The EternalBlue Exploit Deployed to Deliver Backdoor.Nitol, Gh0st RAT

In addition, users should deploy anti-malware software to protect their systems against all forms of malware.


Malware Removal Tool

SpyHunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree