With the continuing popularity of cryptocurrencies, a Monero (XMR)-miner malware named PyRoMineIoT was recently discovered using remote code execution (RCE) exploit EternalRomance (detection name: TROJ_ETERNALROM.A) to infect and spread to vulnerable machines. Further, infected machines are used to search vulnerable Internet of Things (IoT) devices, and has been seen actively spreading across different countries since April with the most infections in Singapore, Taiwan, Australia, Cote d’ Ivore, and India.
The malware is Python-based and uses the EternalRomance exploit to target and spread to all Windows versions since Windows 2000, and was likely downloaded from malicious websites as a .zip file masquerading as security updates for browser platforms. While the vulnerability has since been patched in April 2017, PyRoMineIoT uses obfuscation as an evasion tactic. It is installed via PyInstaller as a stand-alone executable and searches for local IP addresses to find the local subnets to execute the payload when run. While it still needs authentication, system privileges are given even for Guest accounts, and if the user is not in “Anonymous” mode, the login bypasses the hardcoded access Default/P@ssw0rdf0rme or aa to execute the payload. If the sent credentials are unsuccessful, it leaves the username and password spaces blank and sets the machine up for reinfection or open for future attacks.
Once the implementation of EternalRomance is successful, an obfuscated VBScript is downloaded to place the XMRig miner in the system. It also adds the account to the local groups as an admin, enables remote desktop protocol, and adds a firewall rule to allow network contact on port 3389. The miner uses randomly generated names for these files, as well as stops/kills/disables all other processes, deletes services, and deletes other users and files. The script stops the Windows Update Service, removes older versions of the miner from the machine, begins the Remote Access Connection Manager and configures it for authentication, and sets up unencrypted data transfer. This primes the system for further possible commands used to attack or spread to other devices.
PyRoMineIoT’s infection process has a second component that steals user access in Chrome with a ChromePass tool, recovering user passwords through the browser. The second component allows the tool to save the credentials in XML format to upload to an account in DriveHQ’s cloud storage service, which has been disabled since discovery.
What makes this malware particularly dangerous is when analyzed, PyRoMineIoT scans for vulnerable IoT devices from Iran and Saudi Arabia and sends the IP information of scanned devices to the attacker’s server, likely in preparation for future attacks. While the distribution of the malware began on June 2018, records of the compromised systems show that the threat actors have not generated any revenue yet and could still be working on propagation.
As Monero is resistant to Application-Specific Integrated Circuit (ASIC) mining, its decentralization and privacy may pave the way for more mining rigs to be included as a malware payload. It is seen to be affecting more vulnerable machines and devices in the future; Monero features privacy technologies exclusive to the cryptocurrency, making it a popular choice for cryptocurrency miners and underground transactions. Users can secure their systems from these malware types by following some of these steps:
Trend Micro™ Smart Home Network™ customers are protected under these rules:
1133637 SMB Microsoft MS17-010 SMB Remote Code Execution -3
1133638 SMB Microsoft MS17-010 SMB Remote Code Execution -4
1133713 SMB MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption (CVE-2017-0146)
1133716 SMB Microsoft MS17-010 SMB Remote Code Execution -5
1133635 SMB Microsoft MS17-010 SMB Remote Code Execution -1
1133636 SMB Microsoft MS17-010 SMB Remote Code Execution -2
1133710 SMB Microsoft Windows SMB Server SMBv1 CVE-2017-0147 Information Disclosure
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.