BlackSquid Uses 7 Exploits to Infect Web Servers with Miners

[silversurfer]

A newly discovered cryptomining threat targeting web servers, network drives, and removable drives comes filled to the brim with exploits and precautions against analysis tools and environments.
 
The end goal is to turn compromised machines into Monero mining rigs. To get there the malware pulls out of it bag several interesting tricks aimed at successfully infecting the target and to avoid analysis.
 
Security researchers found exploits for different vulnerabilities. One of them is NSA's EternalBlue, three are for multiple ThinkPHP versions; another three are for getting remote code execution via CVE-2014-6287 (affects Rejetto HFS), CVE-2017-12615 (affects Apache Tomcat), and CVE-2017-8464 (affects Windows Shell), research from Trend Micro reports.
 
By using multiple exploits aimed at web servers, the malware increases its success rate for infecting a machine.
To evade the scrutiny of malware researchers, once BlackSquid gains access to a server it checks for signs of an analysis environment, such as a virtual machine, sandbox, or a debugger.
 
Once it compromises a machine, the cryptominer delays its routine until it makes sure that the system it lands on does not have a name common to known hardware emulators or sandbox tool or a disk drive model that would indicate an analysis environment.

SOURCE: https://www.bleepingcomputer.com/news/se...th-miners/