New PyRoMine Malware Variation Used Obfuscation and Includes IoT Device Scanner

June 16, 2018


A new variation of the PyRoMine cryptocurrency mining malware has been found by safety scientists at Fortinet. The Python-based malware variation has been called PyRoMineIoT.

The malware has many resemblances to the PyRoMine malware discovered by FortiGuard Labs in April, even though this variation has increased abilities assisting it to avoid discovery by AV software.

The new variety of the malware is hosted on the same IP address as its predecessor, and also utilizes the NSA exploit ETERNALROMANCE to spread. The goal of the malware is to mine the Monero and to convert as many susceptible computers and IoT appliances as possible to increase the processing capability that can be dedicated to the job.

PyRoMineIoT has been packaged into a separate executable file using Pyinstaller, so appliances don’t need to have Python fitted to be susceptible.

The infection process needs a user to visit a malevolent website where a bogus browser safety update is shown, customized to the browser the visitor is using. Visitors who reply to the download request will get an file that has a C# downloader that fits the miner and many other parts, one of which uses the ETERNALROMANCE exploit to disperse to all weak appliances on the network.

An additional part included in the zip – ChromePass – thieves identifications in Chrome, which are saved to an XML file. ChromePass tries to transmit the XML file to a DriveHQ account, even though the account has now been deactivated. An IoT appliance scanner part hunts for weak IoT appliances in Iran and Saudi Arabia – appliances that have admin set as the username and password. That information is then delivered back to the malware developers for use in upcoming attacks.

The ETERNALROMANCE exploit needs verification, even though system privileges can be obtained on Guest accounts. PyRoMineIoT tries to login as Unknown with an empty username and password, even though it is also able of setting up an account with the username ‘Default’ and the password ‘P@ssw0rdf0rme.”

When access is gained, an unnoticed VBScript is downloaded, contrary to the earlier type which had no complication. This assists the malware to avoid discovery by AV software. The VBScript then downloads many other parts including the XMRig Monero miner. If older types of PyRoMine malware are already fitted, the new malware variation erases those copies.

The malware allows RDP, includes a firewall Rule on RDP port 3389, halts the Windows Update Facility, and begins the Remote Access Connection Manager facility, allowing basic verification on that facility to allow the relocation of unencrypted data.

It has just been two months since the malware was first noticed, however in those two months the number of infected appliances has increased substantially, with India, Singapore, and Taiwan seeing the most infections, followed by Australia and Ivory Coast.

This modern malware variation demonstrates that the creators of the malware are keenly developing their malware and have put substantial effort into mining Monero. FortiGuard Labs alerts that this malware threat will carry on to present a risk for some time to come.