PyRoMine Utilizes EternalBlue Exploit, Disables Security Features

Cryptomining malware has dethroned ransomware as the number one cyber threat, and as such, it is evolving rapidly. That being said, a Python-based Monero miner using stolen NSA exploits and disabling security features has been discovered by security researchers.

In 2016, a group calling themselves the Shadow Brokers leaked a number of hacking tools and zero-day exploits attributed to the threat actors known as the Equation Group, a group which has has been tied to the National Security Agency’s (NSA) Tailored Access Operations unit,” Fortinet researchers said. Later on in April 2017, the hackers released several weaponized exploits like ETERNALBLUE and ETERNALROMANCE.

The two exploits were aimed at Windows versions XP/Vista/8.1/7/10 and Windows Server 2003/2008/2012/2016. More specifically, these exploits took advantage of CVE-2017-0144 and CVE-2017-0145, patched with the MS17-010 security bulletin.

Apparently, the ETERNALBLUE exploit is now being utilized in cryptomining malware such as Adylkuzz, Smominru and WannaMine, researchers found out. The new piece of cryptomining malware was dubbed PyRoMine. Researchers came across the malware after landing on a suspicious URL that led to a zip file containing an executable with PyInstaller.

This is what Jasper Manuel from Fortinet shared in terms of discovering the new malware:

I originally came upon the malicious URL hxxp:// where this malware can be downloaded as a zip file. This file contains an executable file compiled with PyInstaller, which is a program that packages programs written in Python into stand-alone executables. This means that there is no need to install Python on the machine in order to execute the Python program.

In order to extract and analyze the Python script and the packages it uses, the researcher utilized a tool in PyInstaller dubbedpyi-archive_viewer. Using pyi-archive_viewer, he was (Read more...)

*** This is a Security Bloggers Network syndicated blog from How to, Technology and PC Security Forum | authored by Milena Dimitrova. Read the original post at: