This cryptocurrency mining malware also disables your security services

A year on from the vulnerabilities being leaked, attackers are still using leaked NSA tools to power new attacks - this time with the newly uncovered PyRoMine.
Written by Danny Palmer, Senior Writer

A new form of cryptocurrency mining malware uses a leaked NSA-exploit to spread itself to vulnerable Windows machines, while also disabling security software and leaving the infected computer open to future attacks.

The Python-based malicious Monero miner has been uncovered by researchers at security company Fortinet who've dubbed it PyRoMine. It first appeared this month and spreads using EternalRomance, a leaked NSA-exploit which takes advantage of what until a year ago had been an undisclosed SMB vulnerability to self-propagate through networks.

EternalRomance helped spread BadRabbit ransomware and is similar in many ways to EternalBlue, a second leaked NSA exploit which helped fuel WannaCry and NotPetya. Both exploits look for public-facing SMB ports, allowing them to deliver malware to networks.

Researchers discovered the malware was downloadable from a particular web address as a zip file, bundled with Pyinstaller, a program which packages programs written in Python into stand alone executables, meaning there's no need for Python to be installed on the compromised machine.

The malicious code behind PyRoMine appears to have been directly copied from a publicly shared EternalRomance implementation.

See also: Cryptocurrency-mining malware: Why it is such a menace and where it's going next

Once the PyRoMine payload makes its way onto a machine, a malicious VBScript is downloaded which enables Remote Desktop Protocol (RDP) to enable propagation with the aid of adding a firewall rule that allows traffic on RDP port 3389.

In addition to this, the malware also stops Windows Updates and allows the transfer of unencrypted data.

Disabling security software allows the attackers to potentially deliver additional malware, should they eventually pivot away from the cryptocurrency miner, which is downloaded following the manipulation of RDP. The miner is registered as a service named "SmbAgentService" by the file "svchost.exe."

Once running on a system, the malicious miner will use the power of the machine to mine for Monero - specifically selected because it can be mined by ordinary computers and provides additional privacy to users.

Currently, PyRoMine isn't widely spread and hasn't made its authors very much money, but the sheer number of machines in the wild which still haven't patched against EternalRomance means there are a lot of potential targets out there. Another reason it hasn't spread is that the authors are still in the testing stage.

See also: What is malware? Everything you need to know about viruses, trojans and malicious software

"We first started to see this malware in April 2018, and it looks like it is still being improved, which might be the reason why its earnings are not very high at the moment," said Jasper Manuel, security researcher at Fortinet.

A patch to protect systems against the leaked-NSA hacking tools was released over a year ago, but there are many Windows machines which haven't received the patch and remain vulnerable to attack.

While PyRoMine isn't the first cryptocurrency malware to spread via the leaked-hacking tools, the additional damage it could do via disabling systems and security software could lead to it becoming much more dangerous in future.

"This malware is a real threat as it not only uses the machine for cryptocurrency mining, but it also opens the machine for possible future attacks since it starts RDP services and disables security services," said Manuel.

"Commodity malware will continue to use the NSA exploits to accelerate its ability to target vulnerable systems and to earn more profit," he added.

Cryptocurrency mining has become a popular way for cyber-crooks to earn money, with attacks successful over a long period of time because the malware is subtle and remains hidden. The technique is said to be so popular with cybercriminals that it is now as lucrative as ransomware.


Editorial standards