News

BlackSquid malware campaign puts cryptocurrency farms on web-servers

Trend Micro experts discovered a new campaign for the mining of cryptocurrency called Monero that targets web-servers, networks and removable drives.

For inconspicuous infection of devices, operators of the campaign that was called BlackSquid, use eight exploits for various vulnerabilities, including the leaked EternalBlue tool from the arsenal of the US National Security Agency, as well as a number of exploits for bugs in Rejetto HFS software (CVE-2014-6287), Apache Tomcat (CVE-2017-12615), Windows Shell (CVE-2017-8464) and several versions of the ThinkPHP framework.

“Our telemetry observed the greatest number of attack attempts using BlackSquid in Thailand and the U.S. during the last week of May”, — reported Trend Micro.

After infection of a server, the BlackSquid checks its location (in the virtual machine, sandbox, etc.) and if analysis tools are used. If the malware is in a dangerous environment for it, operators stop the malicious activity.

Infection occurs through vulnerabilities in web applications that use servers. Using the GetTickCount API, the malware searches for IP addresses of available servers and compromises them using exploits and brute force. Next, the malware determines which video card is installed: if is it Nvidia or AMD, XMRig modules for cryptocurrency mining are loaded into the system.

Randomly generating and checking for live IP addresses to target

BlackSquid can be used not only for mining cryptocurrency, but also for elevating rights on the system, stealing confidential data, disrupting the operation of hardware and software, as well as for carrying out attacks on organizations.

Judging by some of the nuances, BlackSquid is still under development. Experts believe that its authors are experimenting with various types of attacks, trying to determine the least expensive ones. At this stage, attackers are loading Monero miners on compromised servers, but in the future they may switch to other threats.

BlackSquid distributed using the EternalBlue tool and DoublePulsar backdoor. Despite the fact that the patch for these vulnerabilities is available since March 2017, thousands of systems remain vulnerable.

Conclusion from Trend Micro

Given its evasion techniques and the attacks it is capable of, BlackSquid is a sophisticated piece of malware that may cause significant damage to the systems it infects. If successful, this malware may enable an attacker to escalate unauthorized access and privileges, steal proprietary information, render hardware and software useless, or launch attacks on an organization (or even from an organization into another).

We recommend continued updating of systems with the released patches from legitimate vendors. Users of legacy software should also update with virtual patches from credible sources. Enterprises are advised to enable a multilayered protection system that can actively block threats and malicious URLs from the gateway to the endpoint.

Source: https://blog.trendmicro.com

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Recent Posts

Remove Pbmsoultions pop-up ads (Virus Removal Guide)

Pbmsoultions.com is a domain that tries to trick you into clik to its browser notifications…

10 hours ago

Remove Prizestash pop-up ads (Virus Removal Guide)

Prizestash.com is a site that tries to trick you into subscribing to its browser notifications…

10 hours ago

Remove Verifiedbreaking pop-up ads (Virus Removal Guide)

Verifiedbreaking.com is a domain that tries to force you into subscribing to its browser notifications…

10 hours ago

Remove Themoneyminutes pop-up ads (Virus Removal Guide)

Themoneyminutes.com is a domain that tries to force you into subscribing to its browser notifications…

10 hours ago

Remove News-xcidizi pop-up ads (Virus Removal Guide)

News-xcidizi.com is a domain that tries to trick you into clik to its browser notifications…

14 hours ago

Remove Everytraffic-flow pop-up ads (Virus Removal Guide)

Everytraffic-flow.com is a domain that tries to trick you into subscribing to its browser notifications…

14 hours ago