It was discovered that a new version of NRSMiner is spreading in Asia. The affected countries are Vietnam, Iran, and Malaysia. This new version updates existing NRSMiner infections or just infects new systems with the help of the EternalBlue exploit.
For those who don’t know, EternalBlue is one of the NSA exploits stolen by the Shadow Brokers and leaked to the public; it is infamously known for the WannaCry and NotPetya outbreaks in 2017. Good news is that It was patched by Microsoft in March 2017 but many systems are still outdated and didn’t receive the update and probably they never will.
Cybersecurity experts are saying that falling behind basic security practices, like patching, is usually the main culprit in these situations; but the biggest reason this is limited to certain countries has to do with resourcing. For example, some parts of the world have invested in security education for decades, and because of this malware isn’t achieving the same prevalence in those regions.
This new version of NRSMiner updates the existing infections by downloading new modules and deleting the files and services installed by its own previous versions.
Then the updater module checks to see if the new version is already installed. If it is, it deletes itself. If not, it downloads the malware from one of a series of hardcoded URLs.
The newly installed version then creates multiple threads for different purposes, including the exfiltration of processor and system information, checking for a new module, and running the miner.
Remember everything can be hacked. In order to stay away from any threats related to the cyber world, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running. If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;
During a malware analysis, it was discovered that the miner is injected into svchost.exe to start crypto-mining. Interestingly is that If this fails, the miner is injected to TrustedHostex.exe in the system32 folder and executed; snmpstorsrv also decompresses a wininit.exe file and ejects it into svchost.exe. If this too fails, wininit is written to \AppDiagnostics\wininit.exe and executed. Wininit is the module responsible for further propagation using the EternalBlue – 2.2.0 exploit executable.
Wininit.exe scans the local network on TCP port 445 looking for other accessible devices and executes the EternalBlue exploit on any found and vulnerable systems. If everything goes as plan, it installs the DoublePulsar backdoor on the new system. Once the new system is infected, the process begins again.
The crypto miner used to generate Monero cryptocurrency.
Keep in mind that our modern society is dependent on computers, mobile devices, and the use of the internet always stay safe and secured.
We would continue to monitor this cybersecurity problem. Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.