New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


EternalBlue Back Again in New Version of NRSMiner

Vulnerable systems throughout Asia are being targeted by the newest version of the NRSMiner cryptocurrency malware using the EternalBlue exploit kit. Vietnam specifically is being hit hard by the malware and there are two ways it’s happening. One of the ways the new version is spreading is through the download of an updater module on systems that had been previously affected by an older version of NRSMiner. “On a system that is already infected with an older version of NRSMiner, the malware will delete all components of its older version before infecting it with the newer one. To remove the prior version of itself, the newest version refers to a list of services, tasks and files to be deleted that can be found as strings in the snmpstorsrv.dll file; to remove all older versions, it refers to a list that is found in the MarsTraceDiagnostics.xml file,” said researchers. The second way the malware spreads itself is through unpatched systems. TCP port 445 is scanned by Wininit.exe for systems that are accessible. If the system is exploited successfully, EternalBlue exploits the vulnerabilities.

Analyst Notes

Although this new version is currently only being seen in Asia, it does not mean it won’t spread to the rest of the world. Users are suggested to shutdown SMBv1 as well as install the MS17-010 security patch. Port 445’s inbound and outbound traffic can be blocked by configuring the firewall which can stop the spreading within the local network.