Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New ‘PyRoMineIoT’ Malware Spreads via NSA-Linked Exploit

A recently discovered piece of crypto-currency miner malware isn’t only abusing a National Security Agency-linked remote code execution exploit to spread, but also abuses infected machines to scan for vulnerable Internet of Things (IoT) devices.

A recently discovered piece of crypto-currency miner malware isn’t only abusing a National Security Agency-linked remote code execution exploit to spread, but also abuses infected machines to scan for vulnerable Internet of Things (IoT) devices.

Dubbed PyRoMineIoT, the malware is similar to the PyRoMine crypto-currency miner that was detailed in late April. Both mine for Monero, both are Python-based, and both use the EternalRomance exploit for propagation purposes (the vulnerability was patched in April last year).

The older threat, Fortinet’s Jasper Manuel reveals, has received an update to add some obfuscation, likely in an attempt to evade detection from anti-virus programs.

The latest PyRoMine variant is hosted on the same IP address 212[.]83.190[.]122, was compiled with PyInstaller into a stand-alone executable, and continues to use the EternalRomance implementation found on the Exploit Database website, the same as the initially analyzed variant.

After a successful exploitation, an obfuscated VBScript is downloaded. The VBScript has the same functionality as the previously used one, but features more organized code and also adds a version number.

The same as before, it sets up a Default account with the password P@ssw0rdf0rme and adds the account to the local groups “Administrators,” “Remote Desktop Users,” and “Users,” after which it enables RDP and adds a firewall rule to allow traffic on port 3389.

The VBScript also downloads other components, including a Monero miner (XMRig), but now uses randomly generated names for these files. The malware attempts to remove older versions of PyRoMine from the system.

One of the pool addresses used by the malware suggests the actors made around 5 Monero (about $850) from their nefarious activities. The malware has infected a large number of systems since April, with the top 5 affected countries being Singapore, India, Taiwan, Côte d’Ivoire, and Australia.

Advertisement. Scroll to continue reading.

The newly discovered PyRoMineIoT, Manuel says, is similar to PyRoMine, hence the similar naming. The threat is served from “an obviously malicious looking website,” disguised as security updates for web browsers.

The fake updates are downloaded as .zip archives that contain a downloader agent written in C#. This agent fetches the miner file and other malicious components, including a Python-based malware that leverages EternalRomance to spread the downloader to vulnerable machines in the network.

The agent also fetches a component to steal user credentials from Chrome, and another to scan for IoT devices in Iran and Saudi Arabia that use the admin: admin username and password pair.

The EternalRomance implementation uses the same code base as PyRoMine and works in a similar manner, collecting the IPs of local subnets and iterating through them to execute the payload. It uses the username ‘aa’ with an empty password.

The second component is part of the legitimate ChromePass tool that allows users to recover passwords from the Chrome browser. As part of these attacks, it is abused to steal credentials from unsuspecting users: the tool saves the recovered credentials in XML format and uploads the file to an account on DriveHQ’s cloud storage service (the account has been already disabled).

The most interesting aspect of this malware, however, is its ability to search for vulnerable IoT devices, but it only targets those in Iran and Saudi Arabia for that. The threat sends the IP information of discovered devices to the attacker’s server, supposedly in preparation for further attacks.

The same as PyRoMine, the malware downloads the XMRig miner on the compromised system. After checking one of the pool addresses used by the threat, however, the researcher discovered that it hasn’t generated revenue yet. This, however, isn’t surprising, considering that the malware only started being distributed on June 6, 2018, and is an unfinished project.

“This development confirms yet again that malware authors are very interested in cryptocurrency mining, as well as in capturing a chunk of the IoT threat ecosystem. We predict that this trend will not fade away soon, but will continue as long as there are opportunities for the bad guys to easily earn money by targeting vulnerable machines and devices,” Fortinet concludes.

Related: MassMiner Attacks Web Servers With Multiple Exploits

Related: PyRoMine Crypto-Miner Spreads via NSA-Linked Exploit

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.