Delaware, USA – June 4, 2019 – Malware attacks not only the Web servers but also network drives and removable drives. Experts of Trend Micro analyzed new malware family and discovered that BlackSquid uses seven exploits to spread Monero miner. In the arsenal of malware, there are exploits for bugs in Rejetto HFS (CVE-2014-6287), Apache Tomcat (CVE-2017-12615), Windows Shell (CVE-2017-8464) and several versions of the ThinkPHP framework, as well as the infamous EternalBlue used in WannaCry and NotPetya outbreaks.
After infection, the malware analyzes the environment and stops the malicious activity if it detects signs of potential analysis. Infection occurs through vulnerabilities in web applications that are used on servers. Using the GetTickCount API, the malware searches for IP addresses of available servers and compromises them using exploits and brute force attack. Next, the malware determines which video card is installed, and if it discovers Nvidia or AMD, it drops XMRig modules for cryptocurrency mining to the attacked system.
Cryptocurrency mining has now somewhat lost its popularity, but threat actors continue to conduct successful attacks on corporate servers. In addition, adversaries can use BlackSquid not only for mining but also for elevating system privileges, stealing confidential data, disrupting operations, as well as for carrying out attacks on organizations. Trend Micro researchers suggest that threat actor is still developing and testing the malware to find the best way of monetization of the efforts, as some functions of BlackSquid still not work properly, but even in its current form, the malware is very effective. To detect attacks on your servers, you can use the Web Application Security Framework rule pack that spots malicious activity and acts as an early warning system for your critical business applications: https://my.socprime.com/en/integrations/web-application-security-framework-arcsight