Updated NRSMiner Strikes Asian Countries

Delaware, USA – January 8, 2019 – An updated version of the NRSMiner coinminer threatens organizations in Asia. Researchers from F-Secure spotted a new wave of malware attacks started in mid-November last year when adversaries released the newest version of the cryptocurrency miner. NRSMiner is a worm-like malware that uses the EthernalBlue exploit for spreading within attacked organization’s network. The EthernalBlue exploit was used during the WannaCry and NotPetya outbreaks in 2017. Despite the fact that more than 18 months passed since the attacks, a recent study showed that hundreds of thousands of systems are still vulnerable to this exploit. More than 50% of NRSMiner victims are located in Vietnam, and almost all of the other victims are in Asian countries. Older versions of the malware connect to command and control servers to download and install the update on an infected system and then tries to spread to other unpatched systems within a network. Coinminer uses XMRig to mine Monero cryptocurrency. To avoid causing suspicion on infected systems, XMRig runs by default for 5 minutes every 95 minutes.

Adversaries can easily update the malware to modify the cryptocurrency mining parameters or completely change the functionality of the malware. The usage of EthernalBlue exploit shows that adversaries focused on organizations with plenty of outdated systems. Coinminers using this exploit can completely paralyze the operation of an organization, and the WannaMine experience shows that malware authors will continue to modify the strain to make it more profitable. You can discover the latest version of NRSMiner using the rules from the Threat Detection Marketplace.
Sysmon: https://tdm.socprime.com/tdm/info/1431/
Proxy/Firewall: https://tdm.socprime.com/tdm/info/1432/