Revamped cryptominer strikes Asia through EternalBlue exploit
The latest version of NRSMiner has been spotted in recent attacks across Asia which are compromising systems which have not been patched against the well-known EternalBlue exploit.
According to cybersecurity researchers from F-Secure, unpatched machines in Asia — centered in Vietnam — are being infected with the latest version of NRSMiner, malware designed to steal computing resources in order to mine for cryptocurrency.
Starting mid-November last year, the latest wave of attacks is also actively spreading across countries including China, Japan, and Ecuador.
The new version of the malware relies on the EternalBlue exploit to spread through local networks.
EternalBlue is an SMBv1 (Server Message Block 1.0) exploit which is able to trigger remote code execution (RCE) attacks via vulnerable Windows Server Message Block (SMB) file-sharing services. The security flaw responsible for the attack, CVE-2017-0144, was patched by Microsoft in March 2017 and yet many systems have still not been updated and remain vulnerable to attack.
It was over a year ago that EternalBlue first hit the headlines as the world was gripped by the spread of WannaCry, a form of ransomware which struck organizations worldwide including the UK’s National Health Service (NHS), FedEx, Renault, and global banks. WannaCry, linked to North Korean hackers and the Lazarus group, used EternalBlue as an infection vector in order to spread.
Following the compromise of hundreds of thousands of PCs during the WannaCry outbreak, attackers then leveraged the same flaw to spread another form of ransomware known as Petya.
It is believed EternalBlue was originally the work of the US National Security Agency (NSA)’s Equation Group, after the examination of the tool was made possible by its public release as part of a cache published online by the Shadow Brokers hacking group.
NRSMiner makes use of the XMRig Monero miner to hijack an infected system’s CPU to mine for the Monero (XMR) cryptocurrency. NRSMiner is also able to download update modules, refresh older versions of the malware present on a machine, and delete files and services installed by previous installs.
The latest variant of NRSMiner infects new machines either through old versions of the same malware by forcing a download of an updater module into system’s /temp folder or by relying on EternalBlue.
The exploit is spread through Wininit.exe, which upon execution will decompress files including one named svchost.exe, otherwise known as EternalBlue 2.2.0. Wininit.exe will then scan TCP port 445 for any other available — and potentially vulnerable — systems before executing the exploit.
TechRepublic: Website security paradox: What’s a small business to do?
If successful, the DoublePulsar backdoor is then executed via a file called spoolsv.exe. DoublePulsar, a kernel payload, hooks x86 and 64-bit systems and makes use of ports to open up infected machines to additional malware payloads, as well as forge a path to a command-and-control (C&C) server for the purposes of information theft and the execution of commands by C&C operators.
This backdoor is used in this scenario to both maintain persistence on an infected machine and to implement the Snmpstorsrv service, which is able to continually scan for new, vulnerable systems.
This is not the only case of EternalBlue being used for the purpose of cryptojacking. Other campaigns include Wannamine, a cut-and-paste coding effort which has still been able to compromise machines worldwide, and RedisWannaMine, which targets Windows servers.
Indicators of compromise have been listed by F-Secure.