Fortinet researchers spotted a malware dubbed “PyRoMine” which uses the ETERNALROMANCE exploit to spread to vulnerable Windows machines
Fortinet researchers spotted a malware dubbed “PyRoMine” which uses the ETERNALROMANCE exploit to spread to vulnerable Windows machines

In an age where cryptomining software is beating out ransomware as the go-to for most hackers, a Python-based Monero miner is using stolen NSA exploits to gain an edge.

In 2016 the Shadow Brokers leaked several hacking tools and zero-day exploits including ETERNALBLUE and ETERNALROMANCE  that targeted versions of Windows XP/Vista/8.1/7/10 and Windows Server 2003/2008/2012/2016 and took advantage of CVE-2017-0144 and CVE-2017-0145.

Fortinet researchers spotted a malware dubbed “PyRoMine” which uses the ETERNALROMANCE exploit to spread to vulnerable Windows machines, according to an April 24 blog post. The malware isn't the first to mine cryptocurrency that uses previously leaked NSA exploits the malware is still a threat as it leaves machines vulnerable to future attacks because it starts RDP services and disables security services.

“This malware is a real threat as it not only uses the machine for cryptocurrency mining, but it also opens the machine for possible future attacks since it starts RDP services and disables security services," the blog said. "FortiGuardLabs is expecting that commodity malware will continue to use the NSA exploits to accelerate its ability to target vulnerable systems and to earn more profit.”

Researchers spotted the malware after following a malicious URL that leads to a zip file containing an executable file compiled with PyInstaller, as a result, the victims don't need to install Python on the machine in order to execute the Python program researchers said.

The exploit gives the attacker system privileges.

“The malicious vbs file sets-up a Default account with password “P@ssw0rdf0rme” and adds this account to the local groups ‘Administrators,' ‘Remote Desktop Users,' and ‘Users,'” researchers said in the post.  “It then enables RDP and adds a firewall rule to allow traffic on RDP port 3389. It also stops the Windows Update Service and starts the Remote Access Connection Manager service.”

The malware then configures the Windows Remote Management Service to enable basic authentication and to allow the transfer of unencrypted data and opens the machine for possible future attacks.