BlackSquid Emerges from the Deep
Written by Karolis Liucveikis on
When the developers behind Coinhive announced that they would be shutting down the service of allowing websites to mine cryptocurrency rather than advertising, the rise of cryptominers was predicted by some to end. The development of Coinhive opened a Pandora’s Box and drove the abuse and development of other cryptominers, malware designed to hijack CPU resources to mine cryptocurrency, it was unlikely that Coinhive’s demise would signal the death of the malware variant. This statement seems proven by the emergence of a new crypto miner, labeled BlackSquid by researchers at TrendMicro, the malware is designed to infect web servers, network drives, and removable drives to turn them into Monero mining rigs. According to a report published by TrendMicro the malware uses several vulnerabilities to break into systems and help evade detection.
One of these vulnerabilities is the infamous EternalBlue, an NSA hacking tool which was leaked to the public, the vulnerability leverages Microsoft’s SMB version 1 networking protocol in order to spread laterally across networks in order to deliver a malicious payload. Further the crypto miners exploits CVE-2014-6287 (affects Rejetto HFS), CVE-2017-12615 (affects Apache Tomcat), and CVE-2017-8464 (affects Windows Shell). It also uses multiple other exploits which relate to web servers the malware increases its rate of infections.
The malware also employs a variety of methods to evade detection. Once BlackSquid gains access to a server it checks for signs of an analysis environment, such as a virtual machine, sandbox, or a debugger commonly used tools used by security researchers in analyzing malware. Once the system is compromised the crypto miners delays its routine until it makes sure that the system does not have a name common to known hardware emulators, sandbox tools, or a disk drive models that would indicate a security analysis environment. TrendMicro explains that,
“The malware also checks the breakpoint registers for hardware breakpoints, specifically for the flags. Hard-coded in, it skips the routine if that flag is at 0, while it seems to proceed with infection if the flag is at 1. As of this writing, the code is set at 0, implying that this aspect of the malware routine is still in development,”
If the malware detects one or more of the above-mentioned tools, the malware determines that the machine is an unsafe environment and stops the infection routine and no malicious or suspicious indicators are revealed. For instance, running samples through Any Run, a malware hunting service, returned false detections. This is because the malware detects that the service is attempting to analyze the malware, this is then followed by the malware terminating its infection routine as it determines the environment to be unsafe. If the environment is determined to be safe the infection routine continues and the malware looks to spread to other machines across a network. This is done through the use of EternalBlue and DoublePulsar. A patch for the EternalBlue and DoublePulsar vulnerabilities was released in 2017, however, not every admin has bothered to install the patches meaning that hackers are still exploiting these vulnerabilities to move laterally across networks. According to Elad Erez, a security researcher based at Check Point, corporate networks across the globe still have just over 600,000 systems still vulnerable to EternalBlue exploits despite the patch being available for over two years.
Developer Error Leads to Discovery
Despite being a complex and well-built piece of malware, according to TrendMicro, an error in the coding of the malware helped researchers detect and analyze the malware. The error will appear fairly innocuous but it was enough to reveal the malware to researchers. That error is a misspelling of the letter “l” instead of the number “1.” This tiny error results in the code designed to exploit one of the ThinkPHP vulnerabilities unusable and fails to do as intended. Despite this, the remaining code is still capable of installing two Monero mining modules which are deployed as the last stage of the malware. The two components are designed to mine both from the CPU and the GPU respectively. If the malware detects either an Nvidia or AMD graphics card it will install the second mining module to hijack the GPU resources of the card in question.
TrendMicro suggests that the malware may still be under development as the malware may further enable an attacker to escalate unauthorized access and privileges, steal proprietary information, render hardware and software useless, or launch attacks on an organization. It is believed that the developers could be testing the different types of attacks and determine targets without spending too much effort. The Monero miner is the final payload in the compromises seen by the researchers but the attackers can switch it to a different threat with relative ease.
The BlackSquid malware is yet another reminder of how important it is to install updates and software patches. The vulnerabilities that the hackers are exploiting date back to 2014 and 2017 with patches already been released to correct the flaw. Despite this, a scan conducted in March of this year conducted by Elad Erez revealed over 600,000 vulnerable machines to EternalBlue alone. Given the well-built nature of the malware and its ability to be further weaponized should give admins and users enough cause to concern to make sure that all relevant machines and software packages are up to date. To further illustrate this point TrendMicro concludes that,
“All of the exploited vulnerabilities have patches that have been available for years, so organizations following updated and proper patching procedures are unlikely to be affected. We recommend continued updating of systems with the released patches from legitimate vendors. Users of legacy software should also update with virtual patches from credible sources. Enterprises are advised to enable a multilayered protection system that can actively block threats and malicious URLs from the gateway to the endpoint.”
▼ Show Discussion