BlackSquid malware campaign puts cryptocurrency farms on web-servers

Trend Micro experts discovered a new campaign for the mining of cryptocurrency called Monero that targets web-servers, networks and removable drives.

For inconspicuous infection of devices, operators of the campaign that was called BlackSquid, use eight exploits for various vulnerabilities, including the leaked EternalBlue tool from the arsenal of the US National Security Agency, as well as a number of exploits for bugs in Rejetto HFS software (CVE-2014-6287), Apache Tomcat (CVE-2017-12615), Windows Shell (CVE-2017-8464) and several versions of the ThinkPHP framework.

“Our telemetry observed the greatest number of attack attempts using BlackSquid in Thailand and the U.S. during the last week of May”, — reported Trend Micro.

After infection of a server, the BlackSquid checks its location (in the virtual machine, sandbox, etc.) and if analysis tools are used. If the malware is in a dangerous environment for it, operators stop the malicious activity.

Infection occurs through vulnerabilities in web applications that use servers. Using the GetTickCount API, the malware searches for IP addresses of available servers and compromises them using exploits and brute force. Next, the malware determines which video card is installed: if is it Nvidia or AMD, XMRig modules for cryptocurrency mining are loaded into the system.

Randomly generating and checking for live IP addresses to target
Randomly generating and checking for live IP addresses to target

BlackSquid can be used not only for mining cryptocurrency, but also for elevating rights on the system, stealing confidential data, disrupting the operation of hardware and software, as well as for carrying out attacks on organizations.

Judging by some of the nuances, BlackSquid is still under development. Experts believe that its authors are experimenting with various types of attacks, trying to determine the least expensive ones. At this stage, attackers are loading Monero miners on compromised servers, but in the future they may switch to other threats.

BlackSquid distributed using the EternalBlue tool and DoublePulsar backdoor. Despite the fact that the patch for these vulnerabilities is available since March 2017, thousands of systems remain vulnerable.

Conclusion from Trend Micro

Given its evasion techniques and the attacks it is capable of, BlackSquid is a sophisticated piece of malware that may cause significant damage to the systems it infects. If successful, this malware may enable an attacker to escalate unauthorized access and privileges, steal proprietary information, render hardware and software useless, or launch attacks on an organization (or even from an organization into another).

We recommend continued updating of systems with the released patches from legitimate vendors. Users of legacy software should also update with virtual patches from credible sources. Enterprises are advised to enable a multilayered protection system that can actively block threats and malicious URLs from the gateway to the endpoint.


Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button