Malware News This cryptocurrency mining malware also disables your security services

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Content source
https://www.zdnet.com/article/this-cryptocurrency-mining-malware-also-disables-your-security-services/
A year on from the vulnerabilities being leaked, attackers are still using leaked NSA tools to power new attacks - this time with the newly uncovered PyRoMine.

A new form of cryptocurrency mining malware uses a leaked NSA-exploit to spread itself to vulnerable Windows machines, while also disabling security software and leaving the infected computer open to future attacks.

The Python-based malicious Monero miner has been uncovered by researchers at security company Fortinet who've dubbed it PyRoMine. It first appeared this month and spreads using EternalRomance, a leaked NSA-exploit which takes advantage of what until a year ago had been an undisclosed SMB vulnerability to self-propagate through networks.

EternalRomance helped spread BadRabbit ransomware and is similar in many ways to EternalBlue, a second leaked NSA exploit which helped fuel WannaCry and NotPetya. Both exploits look for public-facing SMB ports, allowing them to deliver malware to networks.
Click to expand...
Once the PyRoMine payload makes its way onto a machine, a malicious VBScript is downloaded which enables Remote Desktop Protocol (RDP) to enable propagation with the aid of adding a firewall rule that allows traffic on RDP port 3389.

In addition to this, the malware also stops Windows Updates and allows the transfer of unencrypted data.

Disabling security software allows the attackers to potentially deliver additional malware, should they eventually pivot away from the cryptocurrency miner, which is downloaded following the manipulation of RDP. The miner is registered as a service named "SmbAgentService" by the file "svchost.exe."

Once running on a system, the malicious miner will use the power of the machine to mine for Monero - specifically selected because it can be mined by ordinary computers and provides additional privacy to users.
Click to expand...
 
  • Like
Reactions: Prorootect, Deletedmessiah, RoboMan and 8 others
You must log in or register to reply here.

Similar threads

silversurfer
    • Like
    • +Reputation
New Malware Campaign Leveraging Satacom Downloader to Steal Cryptocurrency
Replies
0
Views
1,083
News Archive
silversurfer
silversurfer
silversurfer
    • Like
    • +Reputation
Verblecon malware loader used in stealthy crypto mining attacks
Replies
0
Views
892
News Archive
silversurfer
silversurfer
Gandalf_The_Grey
    • Like
Malware News New macOS 'KandyKorn' malware targets cryptocurrency engineers
Replies
1
Views
1,483
Security News
CyberTech
CyberTech

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top