BlackSquid Malware Exploiting Web Servers to Mine Monero (XMR)
Cybersecurity researchers have discovered BlackSquid, a new malware family that exploits unpatched loopholes in web servers, network drives, and removable drives to mine privacy-centric monero (XMR), according to a TrendMicro report on June 3, 2019.
Mining Monero in Stealth Mode
Per the team, the notorious malware uses “multiple web server exploits as well as brute strength” to wreak havoc on its hosts. Reportedly, BlackSquid has several features that make it quite deadly.
The malware comes with highly functional anti-virtualization, anti-debugging, and anti-sandboxing features that enable it to discontinue installing itself on its victim’s system once it discovers the presence of a strong anti-cyber threat tool.
BlackSquid also employs some of the most dangerous exploits currently in existence, including EternalBlue, a security flaw present in the Windows SMB 1.0 (SMBv1) server, allowing attackers to execute arbitrary code in a victim’s system remotely.
Once BlackSquid successfully plants itself in a machine, it pauses its activities for a while, to ascertain whether the host is equipped with known hardware emulators or sandbox tools like Avira, wilbert-sc, and others that could detect its presence and block it.
The researchers said:
“BlackSquid also check the breakpoint registers for hardware breakpoints, specifically for the flags. It ends its installation if the flag is at 0, but proceeds with infection if the flag is at 1. Like several other malicious cryptocurrency mining malware routines in recent attacks, BlackSquid also makes use of EthernalBlue-DoublePulsar exploits (MS17-010 SMB RCE exploit) to plant itself in the network.”
Aside from infecting a network and removable drives, the researchers say BlackSquid can also infect web servers by exploiting web applications.
BlackSquid’s Multiple Use Cases
The primary aim of the BlackSquid malware is to download and install an XMRig Monero miner on its victim’s system to conduct invincible mining operations.
However, the researchers have hinted that the cybercriminals behind BlackSquid may be looking to develop the malware further, to enable them to use it to orchestrate other cyber attacks outside of illegal cryptocurrency mining.
To remain immune to BlackSquid and other malware attacks, the researchers have advised organizations to regularly update their systems with new vulnerability patches from trusted vendors while also implementing proper patching procedures.
The researchers also recommend that enterprises should install a multi-layered protection system capable of blocking attacks and malicious URLs from the “gateway to the endpoint.”