Specialists from Distil Networks studied nearly one billion of requests and published Bad Bot report…
“Our telemetry observed the greatest number of attack attempts using BlackSquid in Thailand and the U.S. during the last week of May”, — reported Trend Micro.
After infection of a server, the BlackSquid checks its location (in the virtual machine, sandbox, etc.) and if analysis tools are used. If the malware is in a dangerous environment for it, operators stop the malicious activity.
Infection occurs through vulnerabilities in web applications that use servers. Using the GetTickCount API, the malware searches for IP addresses of available servers and compromises them using exploits and brute force. Next, the malware determines which video card is installed: if is it Nvidia or AMD, XMRig modules for cryptocurrency mining are loaded into the system.
BlackSquid can be used not only for mining cryptocurrency, but also for elevating rights on the system, stealing confidential data, disrupting the operation of hardware and software, as well as for carrying out attacks on organizations.
Judging by some of the nuances, BlackSquid is still under development. Experts believe that its authors are experimenting with various types of attacks, trying to determine the least expensive ones. At this stage, attackers are loading Monero miners on compromised servers, but in the future they may switch to other threats.
BlackSquid distributed using the EternalBlue tool and DoublePulsar backdoor. Despite the fact that the patch for these vulnerabilities is available since March 2017, thousands of systems remain vulnerable.
Given its evasion techniques and the attacks it is capable of, BlackSquid is a sophisticated piece of malware that may cause significant damage to the systems it infects. If successful, this malware may enable an attacker to escalate unauthorized access and privileges, steal proprietary information, render hardware and software useless, or launch attacks on an organization (or even from an organization into another).
We recommend continued updating of systems with the released patches from legitimate vendors. Users of legacy software should also update with virtual patches from credible sources. Enterprises are advised to enable a multilayered protection system that can actively block threats and malicious URLs from the gateway to the endpoint.
Source: https://blog.trendmicro.com
Pbmsoultions.com is a domain that tries to trick you into clik to its browser notifications…
Prizestash.com is a site that tries to trick you into subscribing to its browser notifications…
Verifiedbreaking.com is a domain that tries to force you into subscribing to its browser notifications…
Themoneyminutes.com is a domain that tries to force you into subscribing to its browser notifications…
News-xcidizi.com is a domain that tries to trick you into clik to its browser notifications…
Everytraffic-flow.com is a domain that tries to trick you into subscribing to its browser notifications…