A newly discovered cryptomining threat targeting web servers, network drives, and removable drives comes filled to the brim with exploits and precautions against analysis tools and environments.
The end goal is to turn compromised machines into Monero mining rigs. To get there the malware pulls out of it bag several interesting tricks aimed at successfully infecting the target and to avoid analysis.
Big bag of tricks
Security researchers found exploits for different vulnerabilities. One of them is NSA's EternalBlue, three are for multiple ThinkPHP versions; another three are for getting remote code execution via CVE-2014-6287 (affects Rejetto HFS), CVE-2017-12615 (affects Apache Tomcat), and CVE-2017-8464 (affects Windows Shell), research from Trend Micro reports.
By using multiple exploits aimed at web servers, the malware increases its success rate for infecting a machine.
To evade the scrutiny of malware researchers, once BlackSquid gains access to a server it checks for signs of an analysis environment, such as a virtual machine, sandbox, or a debugger.