Advanced Targeted Attack Tools Being Used to Distribute Cryptocurrency Miners (Jun 13, 2019)
Trend Micro researchers have identified a cryptojacking campaign that infects unpatched computers with XMRig variants. While it is unknown who is behind the campaign, the threat actors have been using the EternalBlue and EternalChampion exploits to target unpatched Windows systems. Both exploits, EternalBlue and EternalChampion were leaked in April 2017, are alleged NSA tools that exploit vulnerabilities in Microsoft’s SMB protocol. Once the threat actors gain access to the system, a cryptominer binary is dropped in the “system32” or in the “SysWOW64” folder. The reported targets of the campaign include China and India, along with businesses in various sectors; communications, education, finance, media and technology.
Recommendation: Unpatched Windows machines should be updated as soon as possible due to the potential for an actor to infect a machine with this cryptominer. Additionally, your company should have policies in place to review and apply security updates for software in use to protect against known vulnerabilities that threat actors may exploit.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.