Attackers leverage NSA hacking tools to target businesses with XMRig Monero miners

• The NSA hacking tools used in this campaign include EternalBlue and EternalChampion that were leaked by the Shadow Brokers hacker group in April 2017.
• A majority of affected computers were running Windows Server 2003 SP2 (83%), followed by Windows 7 Ultimate Professional SP1 and Windows XP Professional.

Researchers have uncovered an ongoing crypto jacking campaign, wherein attackers use NSA hacking tools to compromise vulnerable computers of businesses across the globe.

What are the NSA hacking tools used in this campaign?

• The NSA hacking tools used in this campaign include EternalBlue and EternalChampion that were leaked by the Shadow Brokers hacker group in April 2017.
• Using the EternalBlue and EternalChampion exploit kits, attackers target unpatched Windows computers to install XMRig Monero miners.

While Microsoft patched the security flaws in Windows machines that were exploited by these tools, there are still a lot of unpatched computers that are vulnerable to such attacks.

Who are the targets?

This Cryptojacking campaign targets organizations with unpatched systems across the world, with China being the most targeted country, followed by India, Vietnam, Thailand, and Indonesia, among others.

• The targeted sector includes education, communication, media, banking, manufacturing, and technology.
• A majority of affected computers were running Windows Server 2003 SP2 (83%), followed by Windows 7 Ultimate Professional SP1 and Windows XP Professional.

More details on the campaign

Researchers from TrendMicro found out that the compromised machines targeted in this campaign are a part of organizations’ internal network systems and attackers are using the ‘Shotgun’ attack method to compromise the machines.

• A Diagnostics.txt document present in the main Windows folder which is actually a ZIP archive that contains the NSA hacking tools and other malicious tools are used in the campaign.
• The cryptominer binary is first dropped into the infected system's system32 or SysWOW64 folders.
• After which, variants of XMRig crypto miners are dropped on the infected machine via a variant of the Vools Trojan, which is an EternalBlue-based backdoor.

Researchers observed almost 80 variants of XMRig monero miner which were detected as either Coinminer.Win32.MALXMR.SMBM4 or Coinminer.Win64.TOOLXMR.SMA.

“Since we began tracking it in March 2019, we found more than 80 different files in the wild that are involved in the campaign based on their hashes. All these files are variants of the open-source XMRig (Monero) miner, which is used at scale by numerous cybercriminals worldwide. These variants are detected as either Coinminer.Win32.MALXMR.SMBM4 or Coinminer.Win64.TOOLXMR.SMA,” researchers said in a blog.