PyRoMineIoT Targets, Infects, and Spreads to Vulnerable IoT Devices

With the continuing popularity of cryptocurrencies, a Monero (XMR)-miner malware named PyRoMineIoT was recently discovered using remote code execution (RCE) exploit EternalRomance (detection name: TROJ_ETERNALROM.A)  to infect and spread to vulnerable machines. Further, infected machines are used to search vulnerable Internet of Things (IoT) devices, and has been seen actively spreading across different countries since April with the most infections in Singapore, Taiwan, Australia, Cote d’ Ivore, and India.

The malware is Python-based and uses the EternalRomance exploit to target and spread to all Windows versions since Windows 2000, and was likely downloaded from malicious websites as a .zip file masquerading as security updates for browser platforms. While the vulnerability has since been patched in April 2017, PyRoMineIoT uses obfuscation as an evasion tactic. It is installed via PyInstaller as a stand-alone executable and searches for local IP addresses to find the local subnets to execute the payload when run. While it still needs authentication, system privileges are given even for Guest accounts, and if the user is not in “Anonymous” mode, the login bypasses the hardcoded access Default/P@ssw0rdf0rme or aa to execute the payload. If the sent credentials are unsuccessful, it leaves the username and password spaces blank and sets the machine up for reinfection or open for future attacks.

Once the implementation of EternalRomance is successful, an obfuscated VBScript is downloaded to place the XMRig miner in the system. It also adds the account to the local groups as an admin, enables remote desktop protocol, and adds a firewall rule to allow network contact on port 3389. The miner uses randomly generated names for these files, as well as stops/kills/disables all other processes, deletes services, and deletes other users and files. The script stops the Windows Update Service, removes older versions of the miner from the machine, begins the Remote Access Connection Manager and configures it for authentication, and sets up unencrypted data transfer. This primes the system for further possible commands used to attack or spread to other devices.

[Read: Double Whammy: When one attack masks another attack]

PyRoMineIoT’s infection process has a second component that steals user access in Chrome with a ChromePass tool, recovering user passwords through the browser. The second component allows the tool to save the credentials in XML format to upload to an account in DriveHQ’s cloud storage service, which has been disabled since discovery.

What makes this malware particularly dangerous is when analyzed, PyRoMineIoT scans for vulnerable IoT devices from Iran and Saudi Arabia and sends the IP information of scanned devices to the attacker’s server, likely in preparation for future attacks. While the distribution of the malware began on June 2018, records of the compromised systems show that the threat actors have not generated any revenue yet and could still be working on propagation.

As Monero is resistant to Application-Specific Integrated Circuit (ASIC) mining, its decentralization and privacy may pave the way for more mining rigs to be included as a malware payload. It is seen to be affecting more vulnerable machines and devices in the future; Monero features privacy technologies exclusive to the cryptocurrency, making it a popular choice for cryptocurrency miners and underground transactions. Users can secure their systems from these malware types by following some of these steps:

  • Regularly download patches from legitimate vendors.
  • Employ virtual private networks (VPNs) when trying to access networks remotely.
  • Disable unnecessary or outdated protocols and components (or applications) unless otherwise needed.
  • Enable protection systems from the gateway to the endpoint for multi-layered intrusion and infection prevention.
  • Develop a security-aware environment in the workplace, and make sure downloads from external resources and websites are legitimate.

Trend Micro™ Smart Home Network™ customers are protected under these rules:

1133637    SMB Microsoft MS17-010 SMB Remote Code Execution -3
1133638    SMB Microsoft MS17-010 SMB Remote Code Execution -4
1133713    SMB MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption (CVE-2017-0146)
1133716    SMB Microsoft MS17-010 SMB Remote Code Execution -5
1133635    SMB Microsoft MS17-010 SMB Remote Code Execution -1
1133636    SMB Microsoft MS17-010 SMB Remote Code Execution -2
1133710    SMB Microsoft Windows SMB Server SMBv1 CVE-2017-0147 Information Disclosure


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.