Asian
targets are falling prey to a cryptojacking campaign which takes advantage of 'Living
off the Land' (LotL) obfuscated PowerShell-based scripts and uses EternalBlue
exploit to land Monero coinminer and Trojans onto targeted machines.
At
the beginning of this year, a similar malware campaign was identified by the research team of Qihoo 360; reportedly, the campaign was targeted at China at
the time. Open source tools such as PowerDump and Invoke-SMBClient were
employed to carry out password hashing and execute hash attacks.
The
campaign resorts to an exploit which uses SMBv1 protocol which was brought into
the public domain by the Shadow Brokers a couple of years ago. It has now
become one of the standard tools used by the majority of malware developers.
Referenced
from Trend Micro’s initial findings, the aforementioned cryptojacking campaign
was only targeting Japanese computer devices but eventually the targets
multiplied and now they encompassed Taiwan, India, Hong-Kong, and Australia.
Trend
Micro’s research also stated that the EternalBlue exploit, developed by NSA is
a new addition into the malware; alongside, they drew a co-relation between the
exploit and the 2017 ransomware attacks.
How does the malware compromise
computers?
With
the aid of "pass the hash" attacks, it inserts various infectious
components into the targeted computer by trying multiple weak credentials in an
attempt to log in to other devices which are connected to that particular network.
Upon
a successful login, it makes changes in the settings concerning firewall and
port forwarding of the compromised machine; meanwhile, it configures a task
which is scheduled to update the malware on its own.
Once
the malware has successfully compromised the targeted computer, it goes on to
download a PowerShell dropper script from C&C server and then it gets to the
MAC address of the device and terminates the functioning of all the antimalware
software present on the system. Immediately after that, it furthers to place a
Trojan strain which is configured to gather the information of the machine such
as name, OS version, graphics detail, GUID and MAC address.
“We found the malware sample to be sophisticated, designed
specifically to infect as many machines as possible and to operate without
immediate detection. It leverages weak passwords in computer systems and
databases targets legacy software that companies may still be using,”
said Trend Micro.
Trend Micro advises users and enterprises to, “use
complicated passwords, and authorize layered authentication whenever
possible. Enterprises are also advised to enable multi-layered protection the system that can actively block these threats and malicious URLs from the
gateway to the endpoint.”
