U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

New NRSMiner cryptominer NSA-Linked EternalBlue Exploit

A new variant of the NRSMiner is infecting users in the southern region of Asia, most of the victims are in Vietnam (54%), Iran (16%) and Malaysia (12%). The new version leverages the EternalBlue exploit to spread, experts observed that the threat also updates existing NRSMiner installs. ETERNALBLUE is an NSA exploit that made the headlines […]

TradeOgre

A new variant of the NRSMiner is infecting users in the southern region of Asia, most of the victims are in Vietnam (54%), Iran (16%) and Malaysia (12%).

NRSMiner

The new version leverages the EternalBlue exploit to spread, experts observed that the threat also updates existing NRSMiner installs.

ETERNALBLUE is an NSA exploit that made the headlines with DOUBLEPULSAR in the WannaCry attack.

ETERNALBLUE targets the SMBv1 protocol and it has become widely adopted in the community of malware developers.

“Starting in mid-November 2018, our telemetry reports indicate that the newest version of the NRSMiner cryptominer, which uses the Eternal Blue exploit to propagate to vulnerable systems within a local network, is actively spreading in Asia. Most of the infected systems seen are in Vietnam. ” reads the analysis published by F-Secure.

The new version of NRSMiner updates existing infections by downloading new modules and removing files and services installed by old previous versions.

Machines infected with an older version of NRSMiner that runs the wmassrv service will connect to tecate[.]traduires[.]com to download an updater module. The model is stored in the %systemroot%\temp folder as tmp[xx].exe, where [xx] is the return value of the GetTickCount() API.

In case the updater module finds the new version installed, it deletes itself otherwise it downloads the malware from one the hardcoded URLs.

“To remove the prior version of itself, the newest version refers to a list of services, tasks and files to be deleted that can be found as strings in the snmpstorsrv.dll file;  to remove all older versions, it refers to a list that is found in the MarsTraceDiagnostics.xml file. ” continues the analysis.

This malicious code first installs a service named snmpstorsrv, with snmpstorsrv.dll registered as servicedll. then it deletes itself.

The service creates multiple threads to carry out several malicious activities, such as data exfiltration and mining.

The updated miner is injected into the svchost.exe to start crypto-mining, if the injection fails, the service writes the miner to %systemroot%\system32\TrustedHostex.exe and launches it.

The latest NRSMiner version leverages wininit.exe both handling its exploitation and propagation. Wininit.exe decompresses the zipped data in %systemroot%\AppDiagnostics\blue.xml and unzips files to the AppDiagnostics folder. One of the unzipped files named svchost.exe is the Eternalblue – 2.2.0 exploit executable.

Wininit.exe scans for other accessive devices the local network on TCP port 445, it executes the EternalBlue exploit on any vulnerable systems. If the exploit is successfully executed it installs the DoublePulsar backdoor.

The malicious code uses the XMRig Monero CPU miner.

Further information, including IoCs are reported in the analysis published by F.Secure.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – NRSMiner , crypto miner)

[adrotate banner=”5″] [adrotate banner=”13″]