Threat Management, Threat Management, Malware

BlackSquid malware wants to wrap its tentacles around web servers and drives


Researchers have discovered a new malware family that uses a set of eight exploits to compromise web servers, network drives and removable drives.

Dubbed BlackSquid, the malware has been observed dropping XMRig cryptominer programs, but attackers could easily use it to deliver other nasty payloads to infected devices, as well as obtain unauthorized access, escalate privileges, steal information, incapacitate hardware and software systems, and more, according to a blog post today by Trend Micro.

"Our telemetry observed the greatest number of attack attempts using BlackSquid in Thailand and the U.S. during the last week of May," warns blog post author Johnlery Triunfante.

BlackSquid's arsenal of tools includes the EternalBlue Windows SMB protocol exploit, the DoublePulsar backdoor implant, three ThinkPHP exploits, the Rejetto HTTP File Server flaw CVE-2014-6287, Apache Tomcat vulnerability CVE-2017-12615, and Windows bug CVE-2017-8464. In addition to leveraging the exploits, the malware can carry out brute-force attacks as well.

All of the exploits have had patches available for years, so users can easily protect themselves by downloading long-overdue security updates.

"BlackSquid can infect a system from three initial entry points, via an infected webpage visited because of infected known servers, via exploits as main initial entry point for infecting web servers, or via removable or network drives," the blog post continues. However, it will cancel infection as a matter of self-preservation if it detects signs of a sandbox environment or other undesirable elements.

EternalBlue and DoublePulsar, both National Security Agency-connected tools that were leaked by the mysterious Shadow Brokers hacking group in 2017, are used by BlackSquid to propagate across a network following initial infection, Trend Micro explains. The malware uses CVE-2017-8464 to execute copies of itself that it drops into network and removable drives, and it leverages the other exploits to attack web servers in a variety of ways.

TrendMicro says BlackSquid downloads and executes either one or two 64-bit XMRig components that mine Monero cryptocurrency. The first component is downloaded into its resource and acts as the primary miner; however, it also checks for Nvidia and AMD video cards using Windows Management Instrumentation Query Language. If it finds a video card, it then downloads a second miner in the system in order "to mine for graphics processing unit (GPU) resource."

"Given its evasion techniques and the attacks it is capable of, BlackSquid is a sophisticated piece of malware that may cause significant damage to the systems it infects," concludes Triunfante. However, Trend Micro did notice some erroneous code and intentionally skipped routines, which suggests that the malware's developers "are likely in the development and testing stages; they may be studying how they can best profit from the attacks by having two components for mining regardless of the systems' installed GPU resources. Further, they may still be trying to determine specific targets without putting up much capital."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.