![]() Malicious URLs related to this malware are also blocked by Fortinet’s Web Filter service. This malware is a real threat as it not only uses the machine for cryptocurrency mining, but it also opens the machine for possible future attacks since it starts RDP services and disables security services.įortiguardLabs is expecting that commodity malware will continue to use the NSA exploits to accelerate its ability to target vulnerable systems and to earn more profit.įortinet detects all the PyRoMine samples as Python/MS17_010.B!tr, Riskware/CoinMiner, VBS/Miner.PY!tr, VBS/Runner.NFO!tr, and the ETERNALBLUE exploit as MS.2. and the ETERNALROMANCE exploit as MS. Those Windows machines that have not installed the patch from Microsoft remain vulnerable to this attack and similar attacks. PyRoMine is not the first cryptominer that uses previously leaked NSA exploits to help them spread. And the second is Monero’s promise of transaction anonymity. The first is that Monero’s mining algorithm is designed for ordinary computers with no high-end GPUs, which are the majority of most potential targets. With pyi-archive_viewer I was able to extract the main file, which in this case is named “controller.”Īs discussed in our previous articles Group Behind VenusLocker Switches From Ransomware to Monero Mining and Cryptojacking: Digging for your own Treasure, there might be two main reasons why the malware authors chose Monero over other cryptocurrencies like Bitcoin. In order to extract and analyze the python script and the packages it uses, I used a tool in PyInstaller named pyi-archive_viewer. This means that there is no need to install Python on the machine in order to execute the Python program. This file contains an executable file compiled with PyInstaller, which is a program that packages programs written in Python into stand-alone executables. I originally came upon the malicious URL hxxp://212.83.190.122/server/controller.zip where this malware can be downloaded as a zip file. ![]() Recently, FortiGuard Labs uncovered a new python-based cryptocurrency mining malware that uses the ETERNALROMANCE exploit, that we have dubbed “ PyRoMine.” In this article, I provide an analysis of this malware and show how it leverages the ETERNALROMANCE exploit to spread to vulnerable Windows machines. Today, with cryptocurrencies in high demand, researchers have discovered malware authors using the ETERNALBLUE exploit in cryptocurrency mining malware, such as Adylkuzz, Smominru, and WannaMine. File sharing over SMB is normally used only within the local network, but many organizations had SMBv1 exposed to the internet, which worsened the resulting WannaCry and NotPetya attacks that leveraged those exploits. The ETERNALBLUE and ETERNALROMANCE exploits are remote code execution (RCE) exploits that abuse the legacy SMBv1 file sharing protocol. These exploits took advantage of CVE-2017-0144 and CVE-2017-0145, which have been patched with the MS17-010 security bulletin released by Microsoft. Then, on April 14, 2017, they released a set of weaponized exploits, including ETERNALBLUE and ETERNALROMANCE, that targeted versions of Windows XP/Vista/8.1/7/10 and Windows Server 2003/2008/2012/2016. Our miner can be configured to mine with Nanopool or Supportxmr.ĭata will begin to show up on the pool sites after mining for about an hour.In 2016, a group calling themselves the Shadow Brokers leaked a number of hacking tools and zero-day exploits attributed to the threat actors known as the Equation Group, a group which has has been tied to the National Security Agency’s (NSA) Tailored Access Operations unit. WinXMR does not have any affiliation with the mining pools we support. Here you can choose to mine with only CPU or GPU, and you can optionally switch your mining pool to SupportXMR instead of the default Nanopool. There are also advanced settings available by clicking the “Advanced” button in the title bar. You can also check the Background Mode box to run the miner at 75% speed which may keep your computer more stable. The only two required fields are the Monero Address and Email fields. WinXMR works on any version of Windows and automatically updates itself. 2% Dev Fee taken as two minutes of mining after the first 100 minutes Install WinXMR Signed with the trusted code signing certificate (Digicert) Dedicated support team available via email or chat Based on the popular WinEth Ethereum Miner and managed by the same team Works well on AWS and Azure cloud virtual machines running Windows Mining can be done on both CPU and GPU hardware on any version of Windows. Mining Monero on Windows is easy with WinXMR. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |