NSA exploits used by worm-cryptominer combo to move laterally and attack systems

News by Rene Millman

Malware combines Python and PowerShell to create a cryptocurrency miner, which also has a worm-like component that helps it move laterally and infect victims

Security researchers have found and analysed a worm-cryptominer combo that uses a series of exploits to move laterally and compromise victims.

Researchers at Bitdefender said the malware combines Python and PowerShell to create a cryptocurrency miner, which also has a worm-like component that helps it move laterally and infect victims by using vulnerabilities such as the NSA-linked EternalBlue. On 27 May, researchers uncovered a complex malware ecosystem built to install Monero (XMR) miners on as many machines as possible.

The malware was traced back to a supply chain attack on a popular driver downloading application called DriveThatLife. Last year, there was a supply chain attack that targeted users of that app, which is a potentially unwanted application (PUA) that provides driver updates, and against users of other similar apps that seem to run on the same infrastructure.

It was found that a component of DriveTheLife, which normally downloads and executes files from a legitimate domain, was being manipulated to download a malicious payload on the victim’s machine from a domain operated by attackers.

The malware also checks twice per second whether any processes from a list are running on the system. If so, it kills the svhhost.exe process. The process list contains mainly games such as League of Legends, Counterstrike, Grand Theft Auto - Vice City, as well as the Windows Task Manager and the Steam game launcher. Researchers said this hints to the fact that the svhhost.exe process is running performance-intensive tasks and would be noticed if games are running.

The malware also features CPU and GPU mining components and a private RSA key is used for signing C&C communications.

Researchers said that the malware spreads through the two worm components, written in Python and PowerShell, which find targets from the following rules: both worms try to infect the local networks that this machine is connected to. Both worms infect all public IPs sharing the same CIDR /24 subnet as this computer’s (IPs are identical up to the last dot). The PowerShell worm also tries to infect known DNS servers and machines that this computer is already connected to. The Python worm also tries to spread to many random public IPs.

"Apart from making web servers slightly more vulnerable to these attacks, none of these rules favour a specific region, country, organisation or sector. However, most of these targets will be in the same organisation or geographical region. It is also possible that a campaign to spread these files through another means, like the original supply chain attack, may, intentionally or not, favour some targets over others," researchers said.

Paul Ducklin, senior technologist at Sophos, told SC Media UK that the fact that this malware backs off when you're gaming means that you're likely to notice it all the other times its running, given how heavily a cryptominer needs to hammer your system if the crooks are to make any money from it.

"So you can always turn their greed against them by making a point of seeking out processes that are. burning through more than their fair share of power. (Try Ctrl+Shift+Escape to load Task manager on Windows, or the Mac's battery icon to look at the 'Using Significant Energy' item.) Even if you haven't been 'cryptojacked', there's no point in letting processes you don't really need push your computer into meltdown," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews