Researchers Identify New Crypto Mining Malware

Researchers from security firm Trend Micro have sent out a warning regarding a new malware family that bad actors are using to mine cryptocurrency without their victims’ knowledge.

The malware, called BlackSquid, uses multiple web server exploits and brute-force attacks to target web servers, network drives, and removable drives.

Right now, BlackSquid carries carries a payload of two XMRig cryptocurrency mining components: one is the resource while the other is downloaded onto an infected server.

The resource miner acts as the malware’s primary. Once a video card is detected, the second component starts using the GPU to mine for Monero.

Malware still in development

Trend Micro notes that some erroneous codes and purposely skipped routines point to BlackSquid being in the development and testing stage. The security firm also believes that its Monero-mining payload may eventually change in the future.

Even if the malware is in a somewhat incomplete state, it’s still plenty dangerous. For one, it doesn’t use just target one exploit like other forms of malware. It targets eight.

It employs anti-virtualization, anti-debugging, and anti-sandboxing methods to determine whether to continue with installation or not. It also has wormlike behavior for lateral propagation,” reads the report.

And it uses some of the most notorious exploits today: EternalBlue; DoublePulsar; the exploits for CVE-2014-6287, CVE-2017-12615, and CVE-2017-8464; and three ThinkPHP exploits for multiple versions.

A silver lining

Most attacks reportedly took place in the United States and Thailand during the last week of May. The report also mentions that successful BlackSquid attacks could lead to the theft of proprietary information and even higher level attacks.

Fortunately, the Trend Micro report notes that all of the exploits being used by BlackSquid have patches that have been available for years, so it’s unlikely that users and organizations who regularly follow proper updating and patching procedures will be infected.

Still, Trend Micro recommends continued updating using patches released by legitimate vendors and credible sources. The firm also advised enterprises to enable multilayered protection systems to protect against threats and malicious URLs from the gateway to the endpoint.