This article originally appeared in Brilliance Security Magazine on April 25, 2018
Recently, FortiGuard Labs uncovered a new python-based cryptocurrency mining malware that uses the ETERNALROMANCE exploit, and they have dubbed it “PyRoMine.” Originally reported on the Fortinet Blog, this malware is particularly malicious in that it “not only uses the machine for cryptocurrency mining, but it also opens the machine for possible future attacks since it starts RDP services and disables security services,” the blog says – and goes on “PyRoMine is not the first cryptominer that uses previously leaked NSA exploits to help them spread. Those Windows machines that have not installed the patch from Microsoft remain vulnerable to this attack and similar attacks.”
Alex Calic, Chief Strategy and Revenue Officer of The Media Trust explains, “Cryptomining is a profitable business, and its perpetrators are accelerating in numbers and innovation thanks to a growing number of weaponized exploits in their arsenals. What makes this incident unique and alarming are (1) the exploit’s ability to spread fast around the world, (2) the malware’s ability to disable a machine’s security features for future attacks, and (3) the malware authors’ intent to test a campaign before a multi-phased, full-scale launch. Such a campaign will pave the way for harvesting CPU power and personal data from millions of Windows users. Now is the time for enterprise IT to fortify their defenses by identifying who is executing on their sites and flagging suspect executables that indicate unauthorized activity may be afoot. Otherwise, enterprises may find themselves running afoul of GDPR, a European privacy protection regulation that goes into force on May 25th and is poised to fine infringing parties up to four percent of their annual global revenue.”
Mounir Hahad, head of Juniper Threat Labs at Juniper Networks said, “EternalRomance and EternalBlue are only made eternal by our inaction. A patch to close the vulnerabilities that these exploits use has been available since before the WannaCry era. As lots of malware, including cryptominers, jumped on the scene to use EternalBlue and infect as many computers as possible, several of these malware, like Adylkuzz, were actually closing the door behind them for any future infection by closing the SMBv1 port. I would not be surprised if this strain doesn’t find a substantial number of victims. The real danger, of course, is the installation of a backdoor via RDP. Once the threat actor distributing this Monero miner has a foothold in a big enough organization, ransomware may be back on the menu.”
Users are recommended to apply the patch released by Microsoft for CVE-2017-0144 and CVE-2017-0145.