Introduction
It’s just another cryptocurrency miner… Nobody would even suspect the mining malware was merely a mask, masquerading behind an intricate modular framework that supports both Linux and Windows. It comes equipped with a built-in TOR network tunnel for communication with command servers, along with update and delivery functionality through trusted services such as GitLab, GitHub, and Bitbucket, all using custom encrypted archives. The amount of effort that went into creating the framework is truly remarkable, and its disclosure was quite astonishing.
How it started
In 2022, we came across two unexpected detections within the WININIT.EXE process of an older code which was earlier observed in Equation malware. Subsequent analysis revealed earlier instances of suspicious code dating back to 2017. During that time, it had effectively evaded analysis and had previously been misclassified as a cryptocurrency miner. However, while it was in fact serving that purpose, that wasn’t its main objective.
We decided to conduct a comprehensive analysis of the collected samples with the sole objective of resolving any uncertainties. What we discovered was completely unexpected; the cryptocurrency miner was just one component of a much larger entity. This malware employed a custom EternalBlue SMBv1 exploit to infiltrate its victims’ systems. Importantly, our investigation, which considered binary timestamps, indicated that this exploit was created prior to April 2017. It is worth noting that the EternalBlue exploit was publicly disclosed by the Shadow Brokers group on April 14, 2017.
What set this particular worm apart from other malware that used EternalBlue was its distinctive propagation pattern. It spread quietly, allowing it to avoid de ..
Support the originator by clicking the read the rest link below.
