Wednesday, June 19, 2024

Hackers using ETERNALBLUE Exploit in Cryptocurrency Mining Malware to Mine Monero using Vulnerable Windows Machines

Dubbed Cryptocurrency mining malware PyRoMine using  ETERNALBLUE exploit to hack vulnerable windows based computer to mine Monero cryptocurrency.

ETERNALBLUE is a Remote Code Execution (RCE) exploit that used by shadow brokers who was tied with NSA to abuse the SMBv1 file sharing protocol.

Many of the organization has been used SMB Protocol on the internet during this attack that leveraged those exploits which resulting historical WannaCry and NotPetya ransomware attacks.

PyRoMine Malware written in Python and it comes into stand-alone executables so that it cannot require Python on the targeted computer in order to execute the Python program.

This Malware started in April 2018 and cybercriminals are continuously improving the strength of the malware and this malware had already been paid approximately 2.4 Monero.

Also, PyRoMine Malware equipped to evade the security software and it enables the RDP services in victims machine to open for future attacks.

How Does PyRoMine Malware Mine Monero

Initially, PyRoMine Malware injected into victims computer via malicious URL ( hxxp://212.83.190.122/server/controller.zip) that dropped as a Zip file in the vicitms computer.

Inside of the Zip files contains the python installer that comes with stand-alone executable, once extract the main file, it contains a payload called “controller”

Further Analysis revealed that the Controller file code has been copied from the ETERNALROMANCE exploit.

Later this malware finds the local IP address to find the subnets of the local network to execute the payload.

According to Fortinet Analysis, While ETERNALROMANCE requires authentication, but even for a Guest account the exploit gives the attacker SYSTEM privileges. In the samples analyzed the exploit function is called with an “internal” type parameter.

This Malware login to the target machine using the hardcoded username “Default” and the password “P@ssw0rdf0rme” to execute the payload and also make it as a default credential for re-infection and future attacks.

Later Exploit payload download and execute the VBScript from specific crafted malicious URL that will be responsible for downloading and starting the miner files and setting up the system to Mine the Monero Cryptocurrency.

Finally it Setup a default account in local groups “Administrators,” “Remote Desktop Users,” and “Users.” and enable the RDP port 3389 to allow further traffic from the attacker to perform various malicious activities in future.

Website

Latest articles

Singapore Police Arrested Two Individuals Involved in Hacking Android Devices

The Singapore Police Force (SPF) has arrested two men, aged 26 and 47, for...

CISA Conducts First-Ever Tabletop Exercise Focused on AI Cyber Incident Response

On June 13, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) made history by...

Europol Taken Down 13 Websites Linked to Terrorist Operations

Europol and law enforcement agencies from ten countries have taken down 13 websites linked...

New ARM ‘TIKTAG’ Attack Impacts Google Chrome, Linux Systems

Memory corruption lets attackers hijack control flow, execute code, elevate privileges, and leak data.ARM's...

Operation Celestial Force Employing Android And Windows Malware To Attack Indian Users

A Pakistani threat actor group, Cosmic Leopard, has been conducting a multi-year cyber espionage...

Hunt3r Kill3rs Group claims they Infiltrated Schneider Electric Systems in Germany

The notorious cybercriminal group Hunt3r Kill3rs has claimed responsibility for infiltrating Schneider Electric's systems...

Hackers Employing New Techniques To Attack Docker API

Attackers behind Spinning YARN launched a new cryptojacking campaign targeting publicly exposed Docker Engine...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles