By Johnlery Triunfante
An unpatched security flaw that gets successfully exploited is one thing. But eight exploits that can stealthily and simultaneously get through your businesses’ assets and data and your customers’ information are quite another.
We found a new malware family that targets web servers, network drives, and removable drives using multiple web server exploits and brute-force attacks. This malware, which we named BlackSquid after the registries created and main component file names, is particularly dangerous for several reasons. It employs anti-virtualization, anti-debugging, and anti-sandboxing methods to determine whether to continue with installation or not. It also has wormlike behavior for lateral propagation. And it uses some of the most notorious exploits today: EternalBlue; DoublePulsar; the exploits for CVE-2014-6287, CVE-2017-12615, and CVE-2017-8464; and three ThinkPHP exploits for multiple versions.
In addition, cybercriminals may be testing the viability of the techniques used in this malware’s routine for further development. The sample we acquired downloads and installs an XMRig Monero cryptocurrency miner as the final payload. But BlackSquid may be used with other payloads in the future.
Our telemetry observed the greatest number of attack attempts using BlackSquid in Thailand and the U.S. during the last week of May.
Evasion, routine, and exploits
BlackSquid can infect a system from three initial entry points: via an infected webpage visited because of inf ..
Support the originator by clicking the read the rest link below.
