BlackSquid malware wants to wrap its tentacles around web servers and drives

News by Bradley Barth Publish Date

The malware has been observed dropping XMRig cryptominer programs, but attackers could easily use it to deliver other nasty payloads to infected devices

Researchers have discovered a new malware family that uses a set of eight exploits to compromise web servers, network drives and removable drives.

Dubbed BlackSquid, the malware has been observed dropping XMRig cryptominer programs, but attackers could easily use it to deliver other nasty payloads to infected devices, as well as obtain unauthorised access, escalate privileges, steal information, incapacitate hardware and software systems, and more, according to a blog post by Trend Micro.

"Our telemetry observed the greatest number of attack attempts using BlackSquid in Thailand and the US during the last week of May," warns blog post author Johnlery Triunfante.

BlackSquid’s arsenal of tools includes the EternalBlue Windows SMB protocol exploit, the DoublePulsar backdoor implant, three ThinkPHP exploits, the Rejetto HTTP File Server flaw CVE-2014-6287, Apache Tomcat vulnerability CVE-2017-12615, and Windows bug CVE-2017-8464. In addition to leveraging the exploits, the malware can carry out brute-force attacks as well.

All of the exploits have had patches available for years, so users can easily protect themselves by downloading long-overdue security updates.

"BlackSquid can infect a system from three initial entry points, via an infected webpage visited because of infected known servers, via exploits as main initial entry point for infecting web servers, or via removable or network drives," the blog post continues. However, it will cancel infection as a matter of self-preservation if it detects signs of a sandbox environment or other undesirable elements.

EternalBlue and DoublePulsar, both National Security Agency-connected tools that were leaked by the mysterious Shadow Brokers hacking group in 2017, are used by BlackSquid to propagate across a network following initial infection, Trend Micro explains. The malware uses CVE-2017-8464 to execute copies of itself that it drops into network and removable drives, and it leverages the other exploits to attack web servers in a variety of ways.

TrendMicro says BlackSquid downloads and executes either one or two 64-bit XMRig components that mine Monero cryptocurrency. The first component is downloaded into its resource and acts as the primary miner; however, it also checks for Nvidia and AMD video cards using Windows Management Instrumentation Query Language. If it finds a video card, it then downloads a second miner in the system in order "to mine for graphics processing unit (GPU) resource."

"Given its evasion techniques and the attacks it is capable of, BlackSquid is a sophisticated piece of malware that may cause significant damage to the systems it infects," concludes Triunfante. However, Trend Micro did notice some erroneous code and intentionally skipped routines, which suggests that the malware’s developers "are likely in the development and testing stages; they may be studying how they can best profit from the attacks by having two components for mining regardless of the systems’ installed GPU resources. Further, they may still be trying to determine specific targets without putting up much capital."

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews