All-in-one CrazyCoin Worm Leverages EternalBlue Exploit Kit to Spread Across Target Systems

  • The virus includes mining, hacking, and backdoor modules.
  • The mining module included in the virus is used to mine Monero and HNS coins. 

Recently, researchers came across a new computer virus that integrates multiple capabilities in its arsenal. Dubbed CrazyCoin, the virus spreads via the NSA leaked EternalBlue exploit kit. 

What’s new about the virus?
Discovered by the researchers from 360 Baize Labs, the virus includes mining, hacking and backdoor modules. After it infects a user’s machine, it downloads mining and information-stealing modules. Later it plants the Double Pulsar backdoor program so that all these modules cooperate with each other and perform their own activities.

According to researchers, “The powershell script is responsible for downloading various modules to the victim’s machine for execution.”

The mining module included in the virus are used to mine Monero and HNS coins. 

Among the information stolen by the virus’ stealing module are victims’ sensitive files such as ID cards, passwords, bitcoin wallets etc. This stolen data are later sent back to a server controlled by attackers.   

The CrazyCoin virus listens and receives commands on port 3611.

Security advice
As CrazyCoin leverages the EternalBlue exploit to propagate across systems and this exploit kit is known for abusing vulnerability in SMBv1, it is very necessary to update security patches against it. The vulnerability CVE-2017-0144 exists because the SMB version 1 server in various versions of Microsoft Windows mishandles specially crafted packets from remote attackers, allowing them to execute arbitrary code on the targeted computer.