New 'PyRoMineIoT' Malware Spreads via NSA-Linked Exploit
12.6.18 securityweek Virus
A recently discovered piece of crypto-currency miner malware isn’t only abusing a National Security Agency-linked remote code execution exploit to spread, but also abuses infected machines to scan for vulnerable Internet of Things (IoT) devices.
Dubbed PyRoMineIoT, the malware is similar to the PyRoMine crypto-currency miner that was detailed in late April. Both mine for Monero, both are Python-based, and both use the EternalRomance exploit for propagation purposes (the vulnerability was patched in April last year).
The older threat, Fortinet’s Jasper Manuel reveals, has received an update to add some obfuscation, likely in an attempt to evade detection from anti-virus programs.
The latest PyRoMine variant is hosted on the same IP address 212[.]83.190[.]122, was compiled with PyInstaller into a stand-alone executable, and continues to use the EternalRomance implementation found on the Exploit Database website, the same as the initially analyzed variant.
After a successful exploitation, an obfuscated VBScript is downloaded. The VBScript has the same functionality as the previously used one, but features more organized code and also adds a version number.
The same as before, it sets up a Default account with the password P@ssw0rdf0rme and adds the account to the local groups “Administrators,” “Remote Desktop Users,” and “Users,” after which it enables RDP and adds a firewall rule to allow traffic on port 3389.
The VBScript also downloads other components, including a Monero miner (XMRig), but now uses randomly generated names for these files. The malware attempts to remove older versions of PyRoMine from the system.
One of the pool addresses used by the malware suggests the actors made around 5 Monero (about $850) from their nefarious activities. The malware has infected a large number of systems since April, with the top 5 affected countries being Singapore, India, Taiwan, Côte d’Ivoire, and Australia.
The newly discovered PyRoMineIoT, Manuel says, is similar to PyRoMine, hence the similar naming. The threat is served from “an obviously malicious looking website,” disguised as security updates for web browsers.
The fake updates are downloaded as .zip archives that contain a downloader agent written in C#. This agent fetches the miner file and other malicious components, including a Python-based malware that leverages EternalRomance to spread the downloader to vulnerable machines in the network.
The agent also fetches a component to steal user credentials from Chrome, and another to scan for IoT devices in Iran and Saudi Arabia that use the admin: admin username and password pair.
The EternalRomance implementation uses the same code base as PyRoMine and works in a similar manner, collecting the IPs of local subnets and iterating through them to execute the payload. It uses the username ‘aa’ with an empty password.
The second component is part of the legitimate ChromePass tool that allows users to recover passwords from the Chrome browser. As part of these attacks, it is abused to steal credentials from unsuspecting users: the tool saves the recovered credentials in XML format and uploads the file to an account on DriveHQ’s cloud storage service (the account has been already disabled).
The most interesting aspect of this malware, however, is its ability to search for vulnerable IoT devices, but it only targets those in Iran and Saudi Arabia for that. The threat sends the IP information of discovered devices to the attacker’s server, supposedly in preparation for further attacks.
The same as PyRoMine, the malware downloads the XMRig miner on the compromised system. After checking one of the pool addresses used by the threat, however, the researcher discovered that it hasn’t generated revenue yet. This, however, isn’t surprising, considering that the malware only started being distributed on June 6, 18, and is an unfinished project.
“This development confirms yet again that malware authors are very interested in cryptocurrency mining, as well as in capturing a chunk of the IoT threat ecosystem. We predict that this trend will not fade away soon, but will continue as long as there are opportunities for the bad guys to easily earn money by targeting vulnerable machines and devices,” Fortinet concludes.