Black-Squid: The New king of Malware

Crypto jacking is a widely recognized hacking process that installs corrupt software on a user’s computer and uses its computing power for mining cryptocurrencies such as Monero (XMR).

A new malware dubbed BlackSquid bags eight notorious exploits to drop XMRig Monero cryptocurrency miner targeting web servers, network drivers, and removable drives. BlackSquid enters into the system through three different initial entry points that include infected webpages, compromised servers, or via removable or network drives.

If the malware doesn’t meet the conditions, then it drops the XMRig Monero malware and processes the malicious cryptocurrency-mining malware routines. It also uses EternalBlue-DoublePulsar exploits for further network propagations.

The malware employs several anti-virtualization, anti-debugging and anti-sandboxing methods to avoid detection. If the malware detects any sandboxes, it immediately cancels the infection process to avoid detection.

The malware also gets executed by utilizing the critical vulnerability CVE-2017-8464, that allows remote attackers to execute arbitrary code on the target machine as a local user.

Blacksquid also exploits the Apache Tomcat exploit CVE-2017-12615, which enables any code to be executed by the server by uploading a Java Server Pages file via a specially crafted HTTP PUT request.

It also targets Rejetto HTTP File server using CVE-2014-6287 to run mshta.exe via a %00 sequence in a search action. once abused, this allows attackers to execute arbitrary programs remotely.

black squid makes use of the GetTickCount API to randomly select IP addresses of a web server to target and checks if the addresses are live. If so, the attack begins. The malicious code is also able to start an infection chain by prepending malicious iframes to target web pages.

The malware performs a number of checks designed to avoid detection or analysis, such as the presence of usernames, drivers, or dynamic link libraries which suggest a sandbox or virtualization is in play.

Along with attacks, BlackSquid downloads two XMRig cryptocurrency mining components, that checks for the existence of video card in the target systems, it checks for Nvidia and AMD video cards, if present it downloads the second component to mine for graphics processing unit resource.

The BlackSquid is the highly sophisticated malware that allows a threat actor to escalate the privileges, Hardware Sabotage, steal sensitive information form organization and to launch various attacks.

For any Cyber Security information contact

Leave a Comment

Your email address will not be published. Required fields are marked *

eleven + 15 =