Malware combines Python and PowerShell to create a crypto-currency miner, which also has a worm like component that helps it move laterally and infect victims by using vulnerabilities such as the NSA-linked EternalBlue. EternalBlue is a cyber-attack exploit developed by the U.S. National Security Agency (NSA) according to testimony by former NSA employees. NSA exploits used by worm crypt miner combo to move laterally and attack systems. Bitdefender researcher recently found and analyzed a worm Crypto miner combo that uses a series of exploits to move laterally and compromise victims.

The malware spreads through the two worm components, written in Python and PowerShell, which find targets from the following rules: both worms try to infect the local networks that this machine is connected to. Both worms infect all public IPs sharing the same CIDR /24 subnet as this computer’s (IPs are identical up to the last dot). The PowerShell worm also tries to infect known DNS servers and machines that this computer is already connected to. The Python worm also tries to spread to many random public IPs.

The malware was traced back to a supply chain attack on a popular driver downloading an application called DriveThatLife. A new attack vector, not previously associated with
delivering crypto-currency miners or covered in past research, was also revealed
during the investigation. A supply chain attack broke out against users of
DriveTheLife, a potentially unwanted application (PUA), and against users of
other similar apps that seem to run on the same infrastructure.

It was found that a component of DriveTheLife, which normally downloads and executes files from a legitimate domain, was being manipulated to download a malicious payload on the victim’s machine from a domain operated by attackers.

The malware also checks twice per second whether any processes from a list are running on the system. If so, it kills the svhhost.exe process. The process list contains mainly games such as League of Legends, Counterstrike, Grand Theft Auto – Vice City, as well as the Windows Task Manager and the Steam game launcher. Researchers said this hints to the fact that the svhhost.exe process is running performance-intensive tasks and would be noticed if games are running.

Key findings:

  • Delivered via supply chain attack on PUA application.
  • Moves laterally using advanced tools and unpatched vulnerabilities.
  • Stays stealthy by pausing crypto mining if performance-intensive tasks, such as popular games, are running.
  • Features both CPU and GPU mining components.
  • Full timeline and changelog on how modules were updated.
  • Private RSA key used for signing C&C communication publicly available.
  • First detailed analysis on how both Beapy and PCASTLE work together.