- Trend Micro found malware that uses current vulnerabilities in web pages and other sources.
- At-risk individuals can update their device’s software with the most current verified patches to be protected.
The cryptocurrency investors of the world are probably pretty happy to see the Coinhive crypto mining script offline, but that doesn’t mean that cryptojacking is over. In fact, recent research by Trend Micro indicates that there’s a new collection of malware that is going after users’ hardware, in an effort to mine cryptocurrency.
According to reports from The Next Web’s Hard Fork, Trend Micro states that the malware is deployed on many web servers while applying brute-force attacks. As the user’s hardware encounters the malware, it downloads Monero cryptocurrency miner XMRig. The most active malware in May was BlackSquid, and the majority of its attacks appeared to be in Thailand and the United States. “BlackSquid” is the name that Trend Micro has given the malware family.
Right now, as far as Trend Micro can tell, there are eight exploits used by BlackSquid, including EternalBlue, DoublePulsar, three security flaws in servers (CVE-2014-6287, CVE-2017-12615, CVE-2017-8464), and three vulnerabilities in web applications (ThinkPHP). However, Hark Fork warns that these exploits are hardly the most worrisome details of the malware.
The BlackSquid family of malware still has a lot of hidden tactics, like anti-virtualization, anti-debugging, and anti-sandboxing. All of these protocols happen before installation starts, which basically means that it will only download to the user’s hardware if it has determined that the malware will be undetected. As one computer on the network is infected, the malware goes after connected systems to make the attack more widespread.
The attacks themselves come through webpages that are already infected, web servers that the malware has compromised, or infected removable hardware. In the event that the malware is successfully undetected, it installs their variation of the XMRig, and it also looks for a video card to help with mining. Essentially, the attack goes after absolutely everything it can to improve the attacker’s likelihood of getting a return.
Even though there is a chance of major damage for an infected system, it is going after exploits and vulnerabilities that are already known. Protecting against the attack is relatively simple since the vulnerabilities have already been patched. Make sure that any network connected has the most updated version of its own software, and that all of the current patches from verified sources have already been installed.
Researchers believe the malware to be still in the testing stage, and that there are multiple features that may still need to be trialed. That being said, this may not be the last time that BlackSquid arises in the industry as a worrisome malware.