In early April, Fortinet’s FortiGuard Labs discovered a cryptocurrency mining malware that leverages EternalRomance, a remote code execution attack, that was coined, PyRoMine. The EternalRomance exploit was initially discovered in the giant “treasure trove” that was the NSA data leak last year thanks to the ShadowBrokers.
The malware can be found in the form of a standalone executable file that, when executed, will run as a background process, silently stealing CPU resources unbeknownst to its victims. The end goal of this malware is to mine Monero for profits.
PyRoMine sets up a hidden default account on the user’s machine with system administrator privileges, using the password “P@ssw0rdf0rme,” as well as, enabling Remote Desktop Protocol which could be used in the future for re-infection and/or further attacks.
EternalRomance exploit targets SMBv1 Windows XP/Vista/8.1/7/10 and Windows Server 2003/2008/2012/2016, taking advantage of a pair of vulnerabilities, CVE-2017-0144 and CVE-2017-0145. Microsoft patched this vulnerability very quickly after the tools were made public. However, individuals and enterprises alike have been quite slow when it comes to patching the known vulnerabilities and could still be affected by this malware.
Proficio Threat Intelligence Recommendations:
- Update Windows hosts to use SMBv2
- Do not allow Remote Desktop Protocol Open from the internet
General Information – Click Here
