A new form of malware has emerged from the depths to attack web servers with a barrage of exploits designed to land illicit cryptocurrency miners.
The overall aim is to compromise web servers, network drives, and removable storage to install XMRig, a Monero cryptocurrency miner script, on target machines.
On Monday, Trend Micro published its findings on the new malware, dubbed BlackSquid, which the cybersecurity firm says has proven itself to be “especially dangerous.”
While many forms of malicious code will employ one or two exploits for known vulnerabilities in popular systems, BlackSquid differs in this regard.
The malware uses a range of the most dangerous exploits currently in the wild, including EternalBlue; DoublePulsar; the exploits for a Rejetto HTTP File Server bug, CVE-2014-6287, an Apache Tomcat security flaw, CVE-2017-12615, and a Windows Shell issue in Microsoft Server — CVE-2017-8464— as well as three ThinkPHP exploits for different versions of the web application development framework.
In addition, BlackSquid is capable of brute-force attacks, anti-virtualization, anti-debugging, and anti-sandboxing techniques, as well as worm-like propagation capabilities.
BlackSquid begins its infection process by way of one of three entry points; an infected webpage, exploits, or through removable network drives.
BlackSquid makes use of the GetTickCount API to randomly select IP addresses of a web server to target and checks if the addresses are live. If so, the attack begins. The malicious code is also able to start an infection chain by prepending malicious iframes to target web pages.