The new version leverages the EternalBlue exploit to spread, experts observed that the threat also updates existing NRSMiner installs.
ETERNALBLUE targets the SMBv1 protocol and it has become widely adopted in the community of malware developers.
“Starting in mid-November 2018, our telemetry reports indicate that the newest version of the NRSMiner cryptominer, which uses the Eternal Blue exploit to propagate to vulnerable systems within a local network, is actively spreading in Asia. Most of the infected systems seen are in Vietnam. ” reads the analysis published by F-Secure.
The new version of NRSMiner updates existing infections by downloading new modules and removing files and services installed by old previous versions.
Machines infected with an older version of NRSMiner that runs the
In case the updater module finds the new version installed, it deletes itself otherwise it downloads the malware from one the hardcoded URLs.
“To remove the prior version of itself, the newest version refers to a list of services, tasks
This malicious code first installs a service named
The service creates multiple threads to carry out several malicious activities, such as data exfiltration and mining.
The updated miner is injected into the svchost.exe to start
The latest NRSMiner version leverages wininit.exe both handling its exploitation and propagation. Wininit.exe decompresses the zipped data in %systemroot%\AppDiagnostics\blue.xml and unzips files to the AppDiagnostics folder. One of the unzipped files named svchost.exe is the Eternalblue – 2.2.0 exploit executable.
Wininit.exe scans for other accessive devices the local network on TCP port 445, it executes the EternalBlue exploit on any vulnerable systems. If the exploit is successfully executed it installs the DoublePulsar backdoor.
The malicious code uses the XMRig Monero CPU miner.
Further information, including IoCs are reported in the analysis published by F.Secure.
(SecurityAffairs – NRSMiner , crypto miner)