A new form of malware that attacks web servers with a cascade of exploits that were designed to insert illegal cryptocurrency miners has been emerged.
The main aim of this malware is to compromise web servers, network drives, and removable storage to install XMRig which is a Monero cryptocurrency miner script, on the targeted machines.
The cybersecurity firm, Trend Micro published its findings about the new malware that has been dubbed BlackSquid which they claim to be a dangerous one.
BlackSquid uses a range of the most dangerous exploits currently in the wild, including EternalBlue; DoublePulsar; the exploits for a Rejetto HTTP File Server bug, CVE-2014-6287, an Apache Tomcat security flaw, CVE-2017-12615, and a Windows Shell issue in Microsoft Server — CVE-2017-8464– as well as three ThinkPHP exploits for different versions of the web application development framework.
Besides, BlackSquid is also capable of brute-force attacks, anti-virtualization, anti-debugging, and anti-sandboxing techniques, as well as worm-like propagation capabilities.
The malware starts the infection process by any one of three entry points; an infected webpage, exploits, or through removable network drives.
BlackSquid makes use of the GetTickCount API to randomly select IP addresses of a web server to target and checks if the addresses are live and begins the attack if it is so. It can also start an infection chain by prepending malicious iframes to target web pages.
The malware conducts numerous checks designed to avoid detection or analysis, such as the presence of usernames, drivers, or dynamic link libraries which suggest a sandbox or virtualization is in play.
The researchers state that the malware checks the breakpoint registers for hardware breakpoints, specifically for the flags. Once hard-coded in, it skips the routine if that flag is at 0, and it proceeds with infection if the flag is at 1.
After entering a web server, the malware uses a remote code execution flaw to obtain the same level of privileges as a local system user and further propagate itself while also executing the final payloads.
BlackSquid’s payloads are two XMRig cryptocurrency mining components, one is the resource and the other is downloaded onto an infected server. The resource miner is the malware’s primary.
If a video card, like the ones developed by Nvidia and AMD are found, then the second component also comes into action to use the GPUs to mine for additional Monero.
The majority of BlackSquid attacks that has been detected were from Thailand and the United States and was most active during the last week of May.
The researchers believe that the BlackSquid still may be in the process of development and testing, as most of the techniques that have been used are available for free in underground forums. Given the malware’s current development and capabilities, it is possible that more dangerous payloads other than a cryptocurrency miner may be employed in the future.
In order to fight the BlackSquid threat it is better to use proper patching procedures. While the exploits in use are dangerous, fixes have been available for years and should be applied to web servers.