Sunday, May 18, 2025
HomeCryptocurrency hackHackers using ETERNALBLUE Exploit in Cryptocurrency Mining Malware to Mine Monero...

Hackers using ETERNALBLUE Exploit in Cryptocurrency Mining Malware to Mine Monero using Vulnerable Windows Machines

Published on

SIEM as a Service

Follow Us on Google News

Dubbed Cryptocurrency mining malware PyRoMine using  ETERNALBLUE exploit to hack vulnerable windows based computer to mine Monero cryptocurrency.

ETERNALBLUE is a Remote Code Execution (RCE) exploit that used by shadow brokers who was tied with NSA to abuse the SMBv1 file sharing protocol.

Many of the organization has been used SMB Protocol on the internet during this attack that leveraged those exploits which resulting historical WannaCry and NotPetya ransomware attacks.

- Advertisement - Google News

PyRoMine Malware written in Python and it comes into stand-alone executables so that it cannot require Python on the targeted computer in order to execute the Python program.

This Malware started in April 2018 and cybercriminals are continuously improving the strength of the malware and this malware had already been paid approximately 2.4 Monero.

Also, PyRoMine Malware equipped to evade the security software and it enables the RDP services in victims machine to open for future attacks.

How Does PyRoMine Malware Mine Monero

Initially, PyRoMine Malware injected into victims computer via malicious URL ( hxxp://212.83.190.122/server/controller.zip) that dropped as a Zip file in the vicitms computer.

Inside of the Zip files contains the python installer that comes with stand-alone executable, once extract the main file, it contains a payload called “controller”

Further Analysis revealed that the Controller file code has been copied from the ETERNALROMANCE exploit.

Later this malware finds the local IP address to find the subnets of the local network to execute the payload.

According to Fortinet Analysis, While ETERNALROMANCE requires authentication, but even for a Guest account the exploit gives the attacker SYSTEM privileges. In the samples analyzed the exploit function is called with an “internal” type parameter.

This Malware login to the target machine using the hardcoded username “Default” and the password “P@ssw0rdf0rme” to execute the payload and also make it as a default credential for re-infection and future attacks.

Later Exploit payload download and execute the VBScript from specific crafted malicious URL that will be responsible for downloading and starting the miner files and setting up the system to Mine the Monero Cryptocurrency.

Finally it Setup a default account in local groups “Administrators,” “Remote Desktop Users,” and “Users.” and enable the RDP port 3389 to allow further traffic from the attacker to perform various malicious activities in future.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

VMware ESXi, Firefox, Red Hat Linux & SharePoint Hacked – Pwn2Own Day 2

Security researchers demonstrated their prowess on the second day of Pwn2Own Berlin 2025, discovering...

Critical WordPress Plugin Flaw Puts Over 10,000 Sites of Cyberattack

A serious security flaw affecting the Eventin plugin, a popular event management solution for...

Sophisticated NPM Attack Leverages Google Calendar2 for Advanced Communication

A startling discovery in the npm ecosystem has revealed a highly sophisticated malware campaign...

New Ransomware Attack Targets Elon Musk Supporters Using PowerShell to Deploy Payloads

A newly identified ransomware campaign has emerged, seemingly targeting supporters of Elon Musk through...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Printer Company Distributes Malicious Drivers Infected with XRed Malware

Procolored, a printer manufacturing company, has been found distributing software drivers infected with malicious...

Frigidstealer Malware Targets macOS Users to Harvest Login Credentials

An macOS users, a new information-stealing malware dubbed FrigidStealer has emerged as a formidable...

SSH Auth Key Reuse Uncovers Advanced Targeted Phishing Campaign

A meticulously orchestrated phishing campaign targeting Kuwait's fisheries, telecommunications, and insurance sectors has been...