BlackSquid malware uses bag of exploits to drop cryptocurrency miners

The new malware family infects web servers to mine for cryptocurrency.

Malware: The "Most Wanted" list Ransomware, worms and cryptocurrency miners fill the top positions, but a remote access trojan also popped up on the list.

A new form of malware has emerged from the depths to attack web servers with a barrage of exploits designed to land illicit cryptocurrency miners.

The overall aim is to compromise web servers, network drives, and removable storage to install XMRig, a Monero cryptocurrency miner script, on target machines.

On Monday, Trend Micro published its findings on the new malware, dubbed BlackSquid, which the cybersecurity firm says has proven itself to be "especially dangerous."

While many forms of malicious code will employ one or two exploits for known vulnerabilities in popular systems, BlackSquid differs in this regard. 

The malware uses a range of the most dangerous exploits currently in the wild, including EternalBlue; DoublePulsar; the exploits for a Rejetto HTTP File Server bug, CVE-2014-6287, an Apache Tomcat security flaw, CVE-2017-12615, and a Windows Shell issue in Microsoft Server -- CVE-2017-8464-- as well as three ThinkPHP exploits for different versions of the web application development framework.

In addition, BlackSquid is capable of brute-force attacks, anti-virtualization, anti-debugging, and anti-sandboxing techniques, as well as worm-like propagation capabilities.

BlackSquid begins its infection process by way of one of three entry points; an infected webpage, exploits, or through removable network drives.

BlackSquid makes use of the GetTickCount API to randomly select IP addresses of a web server to target and checks if the addresses are live. If so, the attack begins. The malicious code is also able to start an infection chain by prepending malicious iframes to target web pages.

The malware performs a number of checks designed to avoid detection or analysis, such as the presence of usernames, drivers, or dynamic link libraries which suggest a sandbox or virtualization is in play.

"The malware also checks the breakpoint registers for hardware breakpoints, specifically for the flags," the researchers say. "Hard-coded in, it skips the routine if that flag is at 0, while it seems to proceed with infection if the flag is at 1. As of this writing, the code is set at 0, implying that this aspect of the malware routine is still in development."

Once inside a web server, the malware uses a remote code execution flaw to obtain the same level of privileges as a local system user and further propagate itself while also executing the final payloads.

BlackSquid's payloads are two XMRig cryptocurrency mining components, one of which is its resource and the other is downloaded onto an infected server. The resource miner acts as the malware's primary.

TechRepublic: How to install CA certificates in Ubuntu server

If a video card, such as those developed by Nvidia and AMD are found, then the second component also comes into play to use the GPUs to mine for additional Monero.  

Trend Micro says that the majority of BlackSquid attacks have, so far, been detected in Thailand and the United States. The last week of May is the most active period on record.

Coding errors in the malware and skipped routines, however, suggest that BlackSquid still may be in the process of development and testing, as many of the techniques in use are available for free in underground forums and the decision to implement random IP scanning -- rather than a Shodan subscription, for example -- does not require any investment.

See also: Unsecured database exposes 85GB in security logs of major hotel chains

However, the researchers believe that given the malware's current development and capabilities, it is possible that payloads other than a cryptocurrency miner may be employed in the future -- and more dangerous ones, at that.

To combat the BlackSquid threat as it exists today, the simplest way is to make use of proper patching procedures. While the exploits in use are dangerous, fixes have been available for years and should be applied to web servers. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0