PyRo Mine Malware Uses NSA Tool to Collect Monero

Attackers are known to leverage any means available to go after cryptocurrencies, and Fortinet researchers reported this week that hackers are using a new crypto-mining malware they are calling PyRo Mine to quietly collect Monero.

The Python-based malware uses an NSA exploit to spread to Windows machines while also disabling security software and allowing the exfiltration of unencrypted data. By also configuring the Windows Remote Management Service, the machine becomes vulnerable to future attacks.

"Researchers have discovered malware authors using the ETERNALBLUE exploit in cryptocurrency mining malware, such as Adylkuzz, Smominru, and WannaMine. PyRo Mine uses the ETERNALROMANCE exploit," wrote Fortinet security researcher Jasper Manuel in his blog.

The malicious URL with a downloadable zip file compiled with PyInstaller is dangerous because it packages Python programs into stand-alone executable so that the attacker does not need to install Python on the machine to execute the program.

“Several of the latest tool sets are coming armed with various payloads that simply have functionality to deploy attacks, harvest for data and also take advantage of lax security and processing time. And, this all comes in a nice, neat package using the simple issue that we (the human) haven’t patched or don’t pay attention to when we are downloading/clicking,” said chief security architect at ACALVIO, Chris Roberts.

The combined attack techniques Manuel discovered in analyzing the scripts and packages let the malicious actor stay hidden while deploying additional attack vectors. Because they don’t make a lot of noise, they can go unnoticed for longer periods of time.

“Looking at the script, I realized that the code was copied from the ETERNALROMANCE implementation found on the exploit database website, with a few modifications to fit its need. This malware gets the local IP addresses to find the local subnet(s), then iterates through all the IPs of these subnets to execute the payload,” said Manuel.

After the attacker successfully accesses the system, they can start mining for Monero, most likely chosen “because it is designed to mine common CPUs present in every laptop and desktop where most crypto-mining relies on expensive GPUs,” said Chris Morales, head of security analytics at Vectra.

Though not widely spread as of yet, those who have not patched these known vulnerabilities remain potential targets as experts expect to see more of these types of attacks in the future.

What’s Hot on Infosecurity Magazine?