A new variant of the NRSMiner is infecting users in the southern region of Asia, most of the victims are in Vietnam (54%), Iran (16%) and Malaysia (12%).
The new version leverages the EternalBlue exploit to spread, experts observed that the threat also updates existing NRSMiner installs.
ETERNALBLUE is an NSA exploit that made the headlines with DOUBLEPULSAR in the WannaCry attack.
ETERNALBLUE targets the SMBv1 protocol and it has become widely adopted in the community of malware developers.
“Starting in mid-November 2018, our telemetry reports indicate that the newest version of the NRSMiner cryptominer, which uses the Eternal Blue exploit to propagate to vulnerable systems within a local network, is actively spreading in Asia. Most of the infected systems seen are in Vietnam. ” reads the analysis published by F-Secure.
The new version of NRSMiner updates existing infections by downloading new modules and removing files and services installed by old previous versions.
Machines infected with an older version of NRSMiner that runs the wmassrv service will connect to tecate[.]traduires[.]com to download an updater module. The model is stored in the %systemroot%\temp folder as tmp[xx].exe, where [xx] is the return value of the GetTickCount() API.
In case the updater module finds the new version installed, it deletes itself otherwise it downloads the malware from one the hardcoded URLs.
“To remove the prior version of itself, the newest version refers to a list of services, tasks and files to be deleted that can be found as strings in the snmpstorsrv.dll file; to remove all older versions, it refers to a list that is found in the MarsTraceDiagnostics.xml file. ” continues the analysis.
This malicious code first installs a service named snmpstorsrv, with snmpstorsrv.dll registered as servicedll. then it deletes itself.
The service creates multiple threads to carry out several malicious activities, such as data exfiltration and mining.
The updated miner is injected into the svchost.exe to start crypto-mining, if the injection fails, the service writes the miner to %systemroot%\system32\TrustedHostex.exe and launches it.
The latest NRSMiner version leverages wininit.exe both handling its exploitation and propagation. Wininit.exe decompresses the zipped data in %systemroot%\AppDiagnostics\blue.xml and unzips files to the AppDiagnostics folder. One of the unzipped files named svchost.exe is the Eternalblue – 2.2.0 exploit executable.
Wininit.exe scans for other accessive devices the local network on TCP port 445, it executes the EternalBlue exploit on any vulnerable systems. If the exploit is successfully executed it installs the DoublePulsar backdoor.