Security researchers have discovered a new strain of malware dubbed PyRoMine, a Python-based cryptocurrency miner that uses leaked NSA exploits to power its attacks and quietly mine Monero. Fortinet's FortiGuard Labs said the malware uses the ETERNALROMANCE remote code execution exploit to self-propagate through vulnerable Windows machines.
The malware can be downloaded as an executable file compiled with PyInstaller. This means victims do not have to have install Python installed on their machine for the malicious code to execute the Python program.
Experts said the code was copied from ETERNALROMANCE exploit with a few customized modifications. The malware uses local IP addresses to find the local subnet(s) and then iterates through all the IPs to execute the payload. The exploit also gives the attacker system privileges.
The payload of the exploit downloads and executes a VBScript from a malicious URL. This .vbs file is responsible for downloading and starting the miner files and setting up the system.
"The malicious vbs file sets-up a Default account with password 'P@ssw0rdf0rme' and adds this account to the local groups 'Administrators,' 'Remote Desktop Users,' and 'Users.' It then enables RDP and adds a firewall rule to allow traffic on RDP port 3389," researchers explained. "It also stops the Windows Update Service and starts the Remote Access Connection Manager service.
"It then configures the Windows Remote Management Service to enable basic authentication and to allow the transfer of unencrypted data. This also opens the machine for possible future attacks."
The XMRig miner is then downloaded and begins running to quietly mine for Monero. The malware also hosts a autostart mechanism using a BAT file and makes sure all the files are up and running.
According to researchers, one of the pool addresses used by the malware was paid about 2.4 Monero, valued at about $650.
"We first started to see this malware in April 2018, and it looks like it is still being improved, which might be the reason why its earnings are not very high at the moment," researchers noted.
The release of the stolen exploit dates back to April 2017 when it was stolen from the NSA-linked Equation Group and leaked by the hacker crew Shadow Brokers. That leak saw the release of several hacking tools and zero-day exploits including ETERNALBLUE and ETERNALROMANCE targeted versions for Windows XP/Vista/8.1/7/10 and Windows Server 2003/2008/2012/2016. These exploits took advantage of CVE-2017-0144 and CVE-2017-0145 that were later patched by Microsoft. However, many systems that haven't been patched are still vulnerable to these exploits and future attacks.
"PyRoMine is not the first cryptominer that uses previously leaked NSA exploits to help them spread," researchers said. "This malware is a real threat as it not only uses the machine for cryptocurrency mining, but it also opens the machine for possible future attacks since it starts RDP services and disables security services. FortiguardLabs is expecting that commodity malware will continue to use the NSA exploits to accelerate its ability to target vulnerable systems and to earn more profit."