Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

New ‘PyRoMineIoT’ Malware Spreads via NSA-Linked Exploit

A recently discovered piece of crypto-currency miner malware isn’t only abusing a National Security Agency-linked remote code execution exploit to spread, but also abuses infected machines to scan for vulnerable Internet of Things (IoT) devices.

A recently discovered piece of crypto-currency miner malware isn’t only abusing a National Security Agency-linked remote code execution exploit to spread, but also abuses infected machines to scan for vulnerable Internet of Things (IoT) devices.

Dubbed PyRoMineIoT, the malware is similar to the PyRoMine crypto-currency miner that was detailed in late April. Both mine for Monero, both are Python-based, and both use the EternalRomance exploit for propagation purposes (the vulnerability was patched in April last year).

The older threat, Fortinet’s Jasper Manuel reveals, has received an update to add some obfuscation, likely in an attempt to evade detection from anti-virus programs.

The latest PyRoMine variant is hosted on the same IP address 212[.]83.190[.]122, was compiled with PyInstaller into a stand-alone executable, and continues to use the EternalRomance implementation found on the Exploit Database website, the same as the initially analyzed variant.

After a successful exploitation, an obfuscated VBScript is downloaded. The VBScript has the same functionality as the previously used one, but features more organized code and also adds a version number.

The same as before, it sets up a Default account with the password [email protected] and adds the account to the local groups “Administrators,” “Remote Desktop Users,” and “Users,” after which it enables RDP and adds a firewall rule to allow traffic on port 3389.

The VBScript also downloads other components, including a Monero miner (XMRig), but now uses randomly generated names for these files. The malware attempts to remove older versions of PyRoMine from the system.

One of the pool addresses used by the malware suggests the actors made around 5 Monero (about $850) from their nefarious activities. The malware has infected a large number of systems since April, with the top 5 affected countries being Singapore, India, Taiwan, Côte d’Ivoire, and Australia.

The newly discovered PyRoMineIoT, Manuel says, is similar to PyRoMine, hence the similar naming. The threat is served from “an obviously malicious looking website,” disguised as security updates for web browsers.

The fake updates are downloaded as .zip archives that contain a downloader agent written in C#. This agent fetches the miner file and other malicious components, including a Python-based malware that leverages EternalRomance to spread the downloader to vulnerable machines in the network.

The agent also fetches a component to steal user credentials from Chrome, and another to scan for IoT devices in Iran and Saudi Arabia that use the admin: admin username and password pair.

The EternalRomance implementation uses the same code base as PyRoMine and works in a similar manner, collecting the IPs of local subnets and iterating through them to execute the payload. It uses the username ‘aa’ with an empty password.

The second component is part of the legitimate ChromePass tool that allows users to recover passwords from the Chrome browser. As part of these attacks, it is abused to steal credentials from unsuspecting users: the tool saves the recovered credentials in XML format and uploads the file to an account on DriveHQ’s cloud storage service (the account has been already disabled).

The most interesting aspect of this malware, however, is its ability to search for vulnerable IoT devices, but it only targets those in Iran and Saudi Arabia for that. The threat sends the IP information of discovered devices to the attacker’s server, supposedly in preparation for further attacks.

The same as PyRoMine, the malware downloads the XMRig miner on the compromised system. After checking one of the pool addresses used by the threat, however, the researcher discovered that it hasn’t generated revenue yet. This, however, isn’t surprising, considering that the malware only started being distributed on June 6, 2018, and is an unfinished project.

“This development confirms yet again that malware authors are very interested in cryptocurrency mining, as well as in capturing a chunk of the IoT threat ecosystem. We predict that this trend will not fade away soon, but will continue as long as there are opportunities for the bad guys to easily earn money by targeting vulnerable machines and devices,” Fortinet concludes.

Related: MassMiner Attacks Web Servers With Multiple Exploits

Related: PyRoMine Crypto-Miner Spreads via NSA-Linked Exploit

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.