BlackSquid Malware Campaign Turns Web Servers into Crypto Mining Farms

By Riley ThompsonTechnology News

BlackSquid Malware Campaign Turns Web Servers into Crypto Mining Farms

Experts at Trend Micro have discovered a new Monero cryptocurrency mining campaign targeting web servers, network storage, and removable drives. The operators of this campaign, named BlackSquid, use eight different exploits to stealthily infect devices. These include the leaked EternalBlue tool from the U.S. National Security Agency, as well as exploits for vulnerabilities in Rejetto HFS (CVE-2014-6287), Apache Tomcat (CVE-2017-12615), Windows Shell (CVE-2017-8464), and several versions of the ThinkPHP framework.

After infecting a server, BlackSquid checks its environment to determine if it is running in a virtual machine, sandbox, or under analysis. If the malware detects a risky environment, it halts its malicious activity. Infection occurs through vulnerabilities in web applications used by the servers. Using the GetTickCount API, the malware searches for the IP addresses of accessible servers and compromises them through exploits and brute-force attacks. Next, the malware identifies the installed graphics card: if it detects Nvidia or AMD hardware, it downloads XMRig modules to mine cryptocurrency.

BlackSquid is not limited to cryptocurrency mining. It can also be used to escalate privileges on the system, steal confidential data, disrupt hardware and software operations, and launch attacks against organizations.

According to experts, BlackSquid appears to still be under development. Its creators seem to be experimenting with different types of attacks to determine the most cost-effective methods. Currently, the attackers are deploying Monero miners on compromised servers, but they may switch to other threats in the future.

BlackSquid spreads using the EternalBlue exploit and the DoublePulsar backdoor. Although patches for these vulnerabilities have been available since March 2017, thousands of systems remain unprotected. According to Check Point statistics, as of March 20, 2019, more than 600,000 corporate systems were still vulnerable to attacks using EternalBlue.

Leave a Reply