Researchers at Guardicore Labs recently came across a malware attack that took down over 800 machines of a medium-sized medical tech company. The malware was hidden as a WAV file and it also included a Monero crypto miner, exploiting the infamous EternalBlue vulnerability.
While everything went as per the plan of the attackers, their code resulted in causing the good-old Blue Screen of Death (BSOD). It was after BSOD incidents dating back to October 14 that the company realized their devices had got compromised.
Upon investigating the root cause, researchers found that a base-64 encoded PowerShell script was causing the system crash. The script was later decoded to make it readable. You can check out the encoded and decoded versions of the script here.
“We obtained a readable Powershell script which starts by checking the system architecture (based on pointer size). Then, it reads the value stored in the registry subkey mentioned above and loads the value into memory using the Windows API function WriteProcessMemory. The code – namely, the malware payload – is executed by obtaining and invoking a function pointer delegate.”, wrote Guardicore researchers.
As I mentioned earlier, the attackers exploited EternalBlue vulnerability to spread the malware to other devices in the network. Guardicore recommended the firm to block all SMB traffic to contain the situation.
Researchers reverse-engineered the malware and here is what they found: “The malware contains a cryptomining module based on the open-source XMRig CPU miner. It uses the CryptonightR algorithm to mine Monero – a popular privacy coin. In addition, the malware makes use of steganography and hides its malicious modules inside clean-looking WAV files”.
The malicious processes were terminated, registry keys were deleted, and the malware was cleaned from the previously affected systems to stop BSOD screens. You may read the entire report here.