Cryptomining malware has dethroned ransomware as the number one cyber threat, and as such, it is evolving rapidly. That being said, a Python-based Monero miner using stolen NSA exploits and disabling security features has been discovered by security researchers.
“In 2016, a group calling themselves the Shadow Brokers leaked a number of hacking tools and zero-day exploits attributed to the threat actors known as the Equation Group, a group which has has been tied to the National Security Agency’s (NSA) Tailored Access Operations unit,” Fortinet researchers said. Later on in April 2017, the hackers released several weaponized exploits like ETERNALBLUE and ETERNALROMANCE.
The two exploits were aimed at Windows versions XP/Vista/8.1/7/10 and Windows Server 2003/2008/2012/2016. More specifically, these exploits took advantage of CVE-2017-0144 and CVE-2017-0145, patched with the MS17-010 security bulletin.
Apparently, the ETERNALBLUE exploit is now being utilized in cryptomining malware such as Adylkuzz, Smominru and WannaMine, researchers found out. The new piece of cryptomining malware was dubbed PyRoMine. Researchers came across the malware after landing on a suspicious URL that led to a zip file containing an executable with PyInstaller.
This is what Jasper Manuel from Fortinet shared in terms of discovering the new malware:
I originally came upon the malicious URL hxxp://188.8.131.52/server/controller.zip where this malware can be downloaded as a zip file. This file contains an executable file compiled with PyInstaller, which is a program that packages programs written in Python into stand-alone executables. This means that there is no need to install Python on the machine in order to execute the Python program.
In order to extract and analyze the Python script and the packages it uses, the researcher utilized a tool in PyInstaller dubbedpyi-archive_viewer. Using pyi-archive_viewer, he was able to extract the main file, named “controller.”
PyRoMine is not the first cryptominer that uses previously leaked NSA exploits to aid their further distribution across computers. Any Windows system that has not applied the Microsoft patch for the exploit is vulnerable to PyRoMine and similar malware pieces.
This malware is a real threat as it not only uses the machine for cryptocurrency mining, but it also opens the machine for possible future attacks since it starts RDP services and disables security services, the researcher noted. Users who haven’t downloaded Microsoft’s patch for the CVE-2017-0144 and CVE-2017-0145 vulnerabilities should do it as soon as possible from here.
In addition, users should deploy anti-malware software to protect their systems against all forms of malware.
SpyHunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter