Researchers from Trend Micro have identified a malware which uses numerous web server exploits and brute-force attacks. The malware downloads and installs XMRig, a Monero cryptocurrency miner, according to the researchers’ findings, in an article spotted by ZDNet. BlackSquid was most active in the last week of May, with most of its attacks hitting Thailand and the US, according to the researchers. Trend Micro is naming the malware family “BlackSquid” after the registries it creates and its main file names. By no coincidence, BlackSquid utilizes eight known exploits including: EternalBlue, DoublePulsar, three server security flaws (CVE-2014-6287, CVE-2017-12615, CVE-2017-8464), and three web application (ThinkPHP) vulnerabilities. Most alarmingly though, is that BlackSquid employs a number of tactics to remain hidden. It uses anti-virtualization, anti-debugging, and anti-sandboxing before it continues with installation. The malware only installs itself if it thinks it will go undetected. It also has “wormlike” behavior for lateral propagation, researchers say. In plain English, after one computer on a network is infected, the malware will try to infect other systems on the network to spread the infection.
How does BlackSquid infect a system?
BlackSquid attacks systems through infected webpages, compromised web servers, or removable or network drives (infected USB drives for example). If it goes undetected, the malware goes on to install a version of the XMRig cryptocurrency mining script. The attack doesn’t stop here though, as the malware also scans the infected system for a video card. Video card GPUs can make great cryptocurrency miners. If BlackSquid finds a GPU, it will use a second XMRig component to make use of the hardware’s resources. In short, the malware looks to exploit everything it can in a system to maximize cryptocurrency return for attackers. That said, Trend Micro warns the malware could deliver other payloads in future attacks. Indeed, while BlackSquid might sound terrifying and could cause significant damage, it’s making use of known exploits and vulnerabilities. These vulnerabilities have already been patched, so protecting yourself is simple. Ensure your system is up to date, and all the latest patches – from legitimate sources – are installed. Researchers also point out that this malware appears to be in a testing state, with many of its features flagged for further trial. If true, this might not be the last we hear of BlackSquid. Indeed, it might not be the end for crypto-jacking attacks. In May 2019, research from cybersecurity firm Malwarebytes said its software was blocking over 1 million requests to Coinhive competitor CoinLoot.