New “BlackSquid” Malware Utilizes Eight Notorious Exploits to Drop XMRig Miner (Jun 3, 2019)
A new malware family dubbed, “BlackSquid,” has been discovered by Trend Micro researchers. The malware targets web servers, network drives, and removable drives using multiple web server exploits and dictionary attacks. BlackSquid is named after its registries and component file names and uses some of the most notorious exploits today including: EternalBlue; DoublePulsar (the exploits for CVE-2014-6287, CVE-2017-12615, and CVE-2017-8464), and three ThinkPHP exploits for multiple versions. If successful, this malware may enable an attacker to escalate unauthorized access and privileges, launch attacks on an organization, render hardware and software useless, or steal proprietary information. However, all of the exploited vulnerabilities have patches that have been available for years, so organizations following updated and proper patching procedures are unlikely to be affected.
Recommendation: Documented or older vulnerabilities, such as CVE-2014-6287, CVE-2017-12615, and CVE-2017-8464, are sometimes utilized by threat actors because companies often do not update their software and products for a variety of reasons. This story depicts the potential risk posed to services that are not properly maintained. It is crucial that your company has a patch application possibility to avoid potential malicious activity.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.