Security researchers have discovered an ongoing cryptojacking campaign which infects unpatched computers of businesses from all over the world with XMRig Monero miners using Equation group’s leaked exploit toolkit.
The cybercriminals behind this cryptomining campaign use the NSA-developed EternalBlue and EternalChampion SMB exploits to compromise vulnerable Windows computers, exploits which were leaked by the Shadow Brokers hacker group in April 2017.
While Microsoft patched the security flaws these tools abused to break into Windows machines [1, 2, 3], there are still a lot of exposed computers because they haven’t been updated to newer OS versions not being impacted by these very dangerous vulnerabilities.
The campaign’s targets
“The campaign seems to be widespread, with targets located in all regions of the world. Countries with large populations such as China and India also had the most number of organizations being targeted,” say Trend Micro’s researchers, the ones who unearthed this ongoing cryptojacking campaign targeting companies from all over the world.
In addition, “businesses across a wide range of industries, including education, communication and media, banking, manufacturing, and technology” are being targeted in these attacks, with the bad actors focusing on victims who use “obsolete or unpatched software.”
The hackers are using a “shotgun” method of attack, choosing to compromise any vulnerable machine they can find and not stopping to cherry-pick as it happens in the targeted attacks conducted by experienced malicious actors which usually impact companies.
This shows that “entry-level cybercriminals are gaining easy access to what we can consider “military-grade” tools — and are using them for seemingly ordinary cybercrime activity.”
Attacking vulnerable hosts and dropping the miners
An auto-spreading EternalBlue-based backdoor and a variant of the Vools Trojan is used as the main tool to deploy roughly 80 variants of the XMRig cryptocurrency miners on infected computers, using five different mining configurations with similar usernames and identical passwords.
The cryptominer binary is always dropped in the infected system’s system32 or SysWOW64 folders, with the miner variant being the one which decides what folder is chosen to drop the XMRig payload.
All compromised machines by this campaign are part of various companies’ internal network segments as unearthed by Trend Micro’s research team.
The servers used to drop the campaign’s malicious payloads is yet unknown because the hackers are constantly modifying the infrastructure used in the attacks either because they want to evade detection or because they lose control over some of their infrastructure.
A common thing for all infected computers in this campaign is a Diagnostics.txt document present in the main Windows folder which is, in fact, a ZIP archive containing the NSA-leaked exploits and several other malicious tools used in the attacks.
In April, another malicious campaign was observed while attacking Asian targets using the EternalBlue exploit and Living off the Land (LotL) obfuscated PowerShell-based scripts to drop both Trojans and a Monero coinminers on their targets’ machines.
Even though cryptojacking has seen a downward trend throughout 2018, it is still popular among threat actors as shown by the PsMiner cryptojacking malware with a worm-like behavior detected by Qihoo 360’s research team in March.
A collection of eight apps that were dropping malicious Monero cryptomining scripts on the PCs of Microsoft Store users, as well as hundreds of exposed and vulnerable Docker hosts actively being abused in cryptojacking campaigns also confirm it.
During February, another threat actor targeted servers running multiple Linux distributions using an XMR-Stak Cryptonight cryptocurrency miner, while a newly discovered Backdoor Trojan dubbed SpeakUp dropped XMRig miners on macOS and Linux machines.