New version of NRSMiner found leveraging EternalBlue exploit kit for propagation

• According to the report by F-Secure, Vietnam is highly affected by the new version of NRSMiner.
• The new version of NRSMiner uses the XMRig Monero CPU miner to generate units of the Monero cryptocurrency.

An updated version of NRSMiner cryptocurrency mining malware has been spotted targeting vulnerable systems. The malware uses the EternalBlue exploit kit for propagation and is actively spreading in Asia.

Modus Operandi

According to a detailed report from a cybersecurity firm F-Secure, Vietnam is highly affected by the new version of NRSMiner. The latest variant of the malware can propagate into a system in two ways.

The first method includes the download of the updater module onto a system that was earlier infected with a previous version of NRSMiner.

• “On a system that is already infected with an older version of NRSMiner, the malware will delete all components of its older version before infecting it with the newer one. To remove the prior version of itself, the newest version refers to a list of services, tasks and files to be deleted that can be found as strings in the snmpstorsrv.dll file; to remove all older versions, it refers to a list that is found in the MarsTraceDiagnostics.xml file,” said F-Secure in a blog post.
• Once the files of the previous version is deleted, the new variant of NRSMiner injects the updated miner file into the ‘svchost.exe’ of the affected system to start crypto-mining.
• If the injection of the file fails, then the malware writes the updated miner file on to the %systemroot%\system32\TrustedHostex.exe and executes it.

The second method involves the use of unpatched systems. The miner looks out for the systems that are not patched with the security update MS17-010.

• Wininit.exe scans on TCP port number 445 to search for accessible systems. After the scan, it executes the EternalBlue exploit kit to exploit the vulnerabilities of systems.
• “If the vulnerable system is successfully exploited, Wininit.exe then executes spoolsv.exe, which is the DoublePulsar – 1.3.1 executable file. This file installs the DoublePulsar backdoor onto the exploited system,” said F-Secure.

The new version of NRSMiner uses the XMRig Monero CPU miner to generate units of the Monero cryptocurrency. Apart for being used for mining currencies, the malware can download updated modules and delete the files and services installed by its previous versions.

Mitigation

Disable SMBv1 to reduce the attack surface. Installing MS17-010 security update is also recommended to address the flaws in SMBv1. Moreover, you can configure your firewall to block the in-and-outbound traffic - of port number 445 - from spreading within the local network.