PyRoMine Uses NSA Exploit for Monero Mining and Backdoors

The ShadowBrokers’ release of a trove of National Security Agency exploits last year appears to be the gift that keeps on giving, to the hacker community at least: A fresh malware that uses the EternalRomance tool has hit the scene, with Monero-mining as the stated goal. However, more damaging follow-on attacks are likely the endgame.

The bad code is a Python-based cryptocurrency mining malware, according to Fortinet’s FortiGuard Labs, which first discovered it this month. Because the malware uses the EternalRomance exploit, the researchers have given it the snappy name of “PyRoMine.”

The malware can be downloaded as an executable file compiled with PyInstaller, which is a program that packages code written in Python into stand-alone executables. This means that, conveniently, there is no need to install Python on the machine in order to execute the Python-based PyRoMine. Once installed, it sets about silently stealing CPU resources from unwitting victims to aim its proverbial drill bit at uncovering Monero profits.

“We don’t know for sure how it arrives on a system, but considering that this is the type of malware that needs to be mass distributed, it is safe to assume that it arrives via spam email or drive-by-download,” FortiGuard security researcher Jasper Manuel said in an email interview.

Worryingly, PyRoMine also sets up a hidden default account on the victimized machine with system administrator privileges, using the password “P@ssw0rdf0rme.” It’s likely that this would be used for re-infection and further attacks, according to Manuel.

“It is fairly likely that future attacks could happen,” he told Threatpost. “Although this malware is not a botnet because it doesn’t phone home to report an infection and doesn’t wait for commands, it still sets up an account on the affected machine and enables Remote Desktop Protocol. The attackers could use the same channel to connect to the machine using the created account to do further attacks.”

Ripe for Spreading

Based on the earnings that PyRoMine has so to date (only about $650), it hasn’t exactly lived up to its name and caught fire on the propagation front. But that could rapidly change: For one, the choice of Monero indicates that the criminals are looking to cast a wide net, given that the currency offers an important “feature” that make it more suitable to the mass market than the more venerable Bitcoin: It relies on a proof-of-work algorithm called CryptoNight, designed for ordinary computers and even mobile phones, rather than for high-end GPUs or the specialized hardware needed for efficient Bitcoin mining. Thus, the potential attack surface consists of consumers and businesses alike, globally.

Secondly, cybercriminals have discovered that enterprises and individuals have been pretty slow when it comes to patching the known vulnerabilities that the NSA tools leverage.

The ShadowBrokers leaked a whole treasure chest of hacking tools and zero-day exploits in 2017, attributed to the Equation Group, which is believed to be an arm of the NSA’s Tailored Access Operations unit. They target Windows XP/Vista/8.1/7/10 and Windows Server 2003/2008/2012/2016, taking advantage of a pair of vulnerabilities, CVE-2017-0144 and CVE-2017-0145. Microsoft patched these very quickly after the tools were made public.

“The patch for EternalRomance was released a year ago, but many still don’t think proactive about security,” Manuel told Threatpost. “The fact that cybercriminals use these exploits tells us that they still profit by using these exploits in their malware.”

And finally, EternalRomance is a remote code execution (RCE) exploit that abuses the legacy SMBv1 file-sharing protocol. SMBv1 is typically used only within the local area network of a business, but all too often it’s left exposed to the internet –one of the contributing factors as to why the EternalX attacks WannaCry and NotPetya were able to spread so widely.

“In the past, we have seen that these exploits were used by state-sponsored threat actors,” Manuel told us. “Within days of the release, we started seeing these exploits being used by commodity malware like cryptominers and info-stealers to target general victims.”

PyRoMine isn’t the first miner to use the NSA tools: Researchers have discovered malware authors using the EternalBlue exploit in other cryptocurrency mining malware, such as Adylkuzz, Smominru and WannaMine – with great success.

Manuel added that because the patch rate is clearly low for the leveraged vulnerabilities, he expects commodity malware to continue to use the NSA exploits for some time to come. More concerning, PyRoMine’s backdoor strategy could become a hallmark going forward.

“I think is going to be something that we see much more of in the future as the tools that are being deployed are multi-faceted,” said Chris Roberts, chief security architect at Acalvio, in an emailed comment. “In this case, it’s not only mining and disabling security services. It’s also adding itself into several account types, opening up RDP (3389) and basically laying the welcome mat out for future attacks. Several of the latest tool sets are coming armed with various payloads that simply have functionality to deploy attacks, harvest for data and also take advantage of lax security and processing time. And, this all comes in a nice, neat package using the simple issue that we (the human) haven’t patched or don’t pay attention to what we are downloading/clicking. Once again, we are the attack vector and the computer suffers.”