SambaCry enrolls Linux systems into a cryptocurrency mining botnet

by Olivia Morelli - - 2017-06-12

Attackers use SambaCry vulnerability to infect Linux systems with cryptocurrency miner

Not a long ago, news broke about the fearsome Windows exploit dubbed EternalBlue. However, shortly a version called EternalRed for Unix-like version appeared. This new variant quickly got an alternative name – SambaCry. The new threat addresses vulnerability CVE-2017-7494^[1], which declares that all Samba versions starting from 3.5.0 allow attackers to execute code on vulnerable machines remotely by uploading a shared library to a writable share and causing the server to activate it. According to Kaspersky^[2], the honeypots^[3] they created were able to identify the first attack using this vulnerability. The attack, however, had nothing to do with the file-encrypting software known as WannaCry^[4]. It turned out to be a different form of malware – a utility that mines cryptocurrency. In fact, this utility is very similar to Adylkuzz, a cryptocurrency-mining malware that used EternalBlue vulnerability weeks before the WannaCry showed up.

SambaCry malware enlists victims into a botnet

Explanation on how do exactly cybercriminals take control of the target system

Before attacking the target computer, cyber criminals test if the attempt to hack the computer was successful. They try to create a text file that contains eight accidentally generated symbols, and if they succeed to do so, they delete the created file immediately. Following that, the attackers rush to execute the malicious payload in the context of the Samba-server process. The malicious file gets deleted afterward in order to hide any signs of its existence. Once deleted, the malicious file exists and runs in the virtual memory only.

The malware inserts and launches two files – INAebsGB.so and cblRWuoCc.so. The first file contains a reverse-shell, connects to a certain port of the IP-address specified by its creator, and provides remote access to the shell. This gives the attacker a permission to access the computer without limits – download files from the Internet, delete user’s data, spy on the victim, and more. The second file functions as an upgraded cryptocurrency miner (cpuminer). It can be activated without any settings to mine the virtual currency straight to attacker’s wallet. Judging from the number of transactions made to criminals’ wallet, the botnet^[5] of compromised devices mining the cryptocurrency only grows.

Patching is the key to cybersecurity – protect your machine now

At the moment, there are no exact numbers to define how many machines were infected with SambaCry malware; however, it is clear that failure to patch CVE-2017-7494 vulnerability on time can lead to disastrous consequences. Therefore, we highly recommend you to download a security update for Samba 4.6.3, 4.5.9, and 4.4.13 from official Samba’s website.

About the author

Olivia Morelli - Ransomware analyst

Olivia Morelli is News Editor at 2-Spyware.com. She covers topics such as computer protection, latest malware trends, software vulnerabilities, data breaches, and more.

Contact Olivia Morelli
About the company Esolutions

References

^ CVE-2017-7494. Common Vulnerabilities and Exposures. The Standard for Information Security Vulnerability Names.
^ Mikhail Kuzin, Yaroslav Shmelev, Dmitry Galov. SambaCry is coming. Securelist. Information about Viruses, Hackers and Spam.
^ Honeypot (computing). Wikipedia. The Free Encyclopedia.
^ Margi Murphy. Attackers behind ‘wake-up call’ WannaCry attack send new chilling message to its victims. The Sun. Technology and Science - Latest News.
^ Botnets overshadowed by ransomware (in media). WeLiveSecurity. IT Security Site Covering the Latest News, Research, Cyber Threats and Malware Discoveries.