BlackSquid malware uses exploits to inject XMRig Miner into web servers

A highly evasive malware string BlackSquid uses eight exploits and brute-force attacks to cryptojack web servers in Thailand and the US

BlackSquid drops XMRigNew BlackSquid malware uses eight exploits in implant Monero cryptominer XMRig into web servers in the US and Thailand

Cybersecurity researchers from Trend Micro recently published a report,[1] in which they analyze new malware family dubbed BlackSquid. According to experts, the unique string is using eight exploits, as well as sophisticated evasion techniques in order to implant Monero mining software XMRig and targets web servers, networked and storage drives.

Trend Micro researchers call the malware “especially dangerous,” as its level of sophistication as astounding. It uses anti-debugging, anti-sandboxing, and anti-virtualization techniques in order to determine whether or not the machine is safe to enter. Additionally, BlackSquid is also capable of performing brute-force attacks, as well as using worm-like capabilities to spread laterally.

The security research blog also claims that, besides that already impressive collection of capabilities, malware authors are most likely looking into expanding the operation by implementing new features into the malicious code:

In addition, cybercriminals may be testing the viability of the techniques used in this malware’s routine for further development. The sample we acquired downloads and installs an XMRig Monero cryptocurrency miner as the final payload. But BlackSquid may be used with other payloads in the future.

The examined samples were most prevalent in Thailand and the US during May 2019, although future attacks might be much broader.

Multiple exploits ensure higher infection rates

While some malware strains use one or a few vulnerabilities for propagation, BlackSquid employs a total of eight most popular flaws, including:

  • EternalBlue – the infamous exploit kit discovered by the NSA and used for WannaCry[2] and NotPetya[3] distribution
  • DoublePulsar – a widely adopted RAT that allows hackers to inject arbitrary Dynamic-link Library files
  • Rejetto HTTP File Server flaw CVE-2014-6287[4] that allows arbitrary program execution
  • Apache Tomcat vulnerability CVE-2017-12615 that enables attackers to upload JSP files
  • Windows Shell in Microsoft Windows Server vulnerability CVE-2017-8464
  • A few versions ThinkPHP exploits

Nevertheless, BlackSquid malware is capable of infecting machines via three different entry points, including removable network drives, malicious website, or exploits.

BlackSquid uses a variety of tricks before finalizing its payload

BlackSquid selects its target with the help of GetTickCount API,[5] which randomly chooses IPs of web servers and then checks if they are live. If it is the case, the attack begins with the help of exploits and brute-force[6] features.

BlackSquid performs three name checks before it continues its routine to ensure anti-analysis and detection avoidance. It determines the usernames, drives, and dynamic link libraries in order to make sure that it does not get into the hands of researchers or malware analysts.

Trend Micro experts explain:

The malware also checks the breakpoint registers for hardware breakpoints, specifically for the flags. Hard-coded in, it skips the routine if that flag is at 0, while it seems to proceed with infection if the flag is at 1. As of this writing, the code is set at 0, implying that this aspect of the malware routine is still in development.

As soon as the malware lands on the web server, it uses remote execution flaw to elevate the privileges to those of a local system user. After that, BlackSquid propagates as a worm across the network and executes its final payloads, which consists of two XMRig cryptojacking components. If a GPU is detected, the malware also uses its power to mine additional Monero coins.

While sophisticated, BlackSquid is mostly still in development stage

Researchers claim that BlackSquid can cause a significant amount of damage to businesses and organizations, as it can elevate its privileges, guaranteeing illegal access to all the sensitive data on the corporate network databases. Additionally, it can also destroy the hardware or launch attacks against other companies.

Nevertheless, Trend Micro experts also note that the malware is not perfect – it consists of multiple coding errors and also skips several important routines. Thus, it is highly likely that BlackSquid is still in its development stages, as there is plenty of room for the improvement.

The best remedy for BlackSquid is adequately patched systems along with reputable anti-malware software running on all machines. Vulnerabilities used by malware, while powerful, were patched a long time ago, and organizations should not skip these updates to avoid significant damages caused by this malware strain.

About the author
Lucia Danes
Lucia Danes - Virus researcher

Lucia is a News Editor for 2spyware. She has a long experience working in malware and technology fields.

Contact Lucia Danes
About the company Esolutions