Threat actors have been found using a new miner malware to infect users in Australia, Taiwan, Vietnam, Hong Kong, India, and China. The malware leverages multiple methods for propagation and infection, to infect Windows systems and drop a Monero mining malware.
What’s the matter - Trend Micro researchers have revealed that a malware detected as Trojan.PS1.LUDICROUZ.A uses several propagation methods to gain access to systems. This includes accessing weak passwords, using pass-the-hash technique, Windows admin tools, and brute force attacks. The malware also uses EternalBlue exploit and PowerShell abuse to evade detection and to spread silently across the network.
How does it spread - The primary method of propagation of the malware involves using the weak credentials. Once a machine is infected, Trojan.PS1.LUDICROUZ.A acquires the MAC address and collects a list of anti-virus products installed in the machine. It then downloads another obfuscated PowerShell script named Trojan.PS1.PCASTLE.B from the C2 server. The downloaded PowerShell is responsible for downloading and executing the malware’s component, most of which are copies of itself.
What’s next - The third component is spyware detected asTrojanSpy.Win32.BEAHNY.THCACAI. It is capable of collecting system information such as Computer’s name, GUID, OS version, Graphics Memory Information and system time.
The fourth component is a Python-compile binary executable which enables the malware to propagate further. It is detected as Trojan.PS1.MIMIKATZ.ADW. The malware attempts to use weak SQL passwords to access vulnerable database servers and execute shell commands.
The bottom line - Researchers found the malware sample to be “sophisticated, designed specifically to infect as many machines as possible and to operate without immediate detection.” It leverages weak passwords in systems and databases, targets legacy software and exploits unpatched vulnerabilities to propagate.
“Considering the increasing popularity of PowerShell and more publicly available open-source codes, we can expect to see more complicated malware like these. And while system information being collected and sent back to the C&C may appear insignificant compared to directly stealing personally identifiable information, system information is unique to machines and may be used to trace, identify, and track users and activities,” the Trend Micro researchers explained.