Attackers use SambaCry vulnerability to infect Linux systems with cryptocurrency miner
Not a long ago, news broke about the fearsome Windows exploit dubbed EternalBlue. However, shortly a version called EternalRed for Unix-like version appeared. This new variant quickly got an alternative name – SambaCry. The new threat addresses vulnerability CVE-2017-7494, which declares that all Samba versions starting from 3.5.0 allow attackers to execute code on vulnerable machines remotely by uploading a shared library to a writable share and causing the server to activate it. According to Kaspersky, the honeypots they created were able to identify the first attack using this vulnerability. The attack, however, had nothing to do with the file-encrypting software known as WannaCry. It turned out to be a different form of malware – a utility that mines cryptocurrency. In fact, this utility is very similar to Adylkuzz, a cryptocurrency-mining malware that used EternalBlue vulnerability weeks before the WannaCry showed up.
Explanation on how do exactly cybercriminals take control of the target system
Before attacking the target computer, cyber criminals test if the attempt to hack the computer was successful. They try to create a text file that contains eight accidentally generated symbols, and if they succeed to do so, they delete the created file immediately. Following that, the attackers rush to execute the malicious payload in the context of the Samba-server process. The malicious file gets deleted afterward in order to hide any signs of its existence. Once deleted, the malicious file exists and runs in the virtual memory only.
The malware inserts and launches two files – INAebsGB.so and cblRWuoCc.so. The first file contains a reverse-shell, connects to a certain port of the IP-address specified by its creator, and provides remote access to the shell. This gives the attacker a permission to access the computer without limits – download files from the Internet, delete user’s data, spy on the victim, and more. The second file functions as an upgraded cryptocurrency miner (cpuminer). It can be activated without any settings to mine the virtual currency straight to attacker’s wallet. Judging from the number of transactions made to criminals’ wallet, the botnet of compromised devices mining the cryptocurrency only grows.
Patching is the key to cybersecurity – protect your machine now
At the moment, there are no exact numbers to define how many machines were infected with SambaCry malware; however, it is clear that failure to patch CVE-2017-7494 vulnerability on time can lead to disastrous consequences. Therefore, we highly recommend you to download a security update for Samba 4.6.3, 4.5.9, and 4.4.13 from official Samba’s website.