With the continuing popularity of cryptocurrencies, a Monero (XMR)-miner malware named PyRoMineIoT was recently discovered using remote code execution (RCE) exploit EternalRomance (detection name: TROJ_ETERNALROM.A) to infect and spread to vulnerable machines. Further, infected machines are used to search vulnerable Internet of Things (IoT)devices, and has been seen actively spreading across different countries since April with the most infections in Singapore, Taiwan, Australia, Cote d’ Ivore, and India.
The malware is Python-based and uses the EternalRomance exploit to target and spread to all Windows versions since Windows 2000, and was likely downloaded from malicious websites as a .zip file masquerading as security updates for browser platforms. While the vulnerability has since been patched in April 2017, PyRoMineIoT uses obfuscation as an evasion tactic. It is installed via PyInstaller as a stand-alone executable and searches for local IP addresses to find the local subnets to execute the payload when run. While it still needs authentication, system privileges are given even for Guest accounts, and if the user is not in “Anonymous” mode, the login bypasses the hardcoded access Default/P@ssw0rdf0rme or aa to execute the payload. If the sent credentials are unsuccessful, it leaves the username and password spaces blank and sets the machine up for reinfection or open for future attacks.
Once the implementation of EternalRomance is successful, an obfuscated VBScript is downloaded to place the XMRig miner in the system. It also adds the account to the local groups as an admin, enables remote desktop protocol, and adds a firewall rule to allow network contact on port 3389. The miner uses randomly generated names for these files, as well as stops/kills/disables all other processes, deletes services, and deletes other users and files. The script stops the Windows Update Service, removes older versions of PyRoMine from the machine, begins the Remote Access Connection Manager and configures it for authentication, and sets up unencrypted data transfer. This primes the system for further possible commands used to attack or spread to other devices. More…