PyRoMine is a python-based crypto-mining malware discovered by FortiGuard Labs that takes advantage of Windows systems with the CVE-2017-0144 and CVE-2017-0145 vulnerabilities. The malware uses ENTERNALROMANCE, a remote code execution (RCE) exploit that abuses SMBv1 ports that are exposed to the internet. PyRoMine is designed to give the attacker SYSTEM privileges by first attempting to login with a hardcoded default username and password. If login is unsuccessful, the exploit will login as anonymous. Once in the system, the malware will create an administrator account with one of the hardcoded usernames and passwords located in the code of the malware that can be used to access the machine for further attacks. Along with the new account, PyRoMine will enable Remote Desktop Protocol (RDP) along with a firewall rule to allow traffic on port 3389. PyRoMine will download a miner file known as XMRig, software developed to mine the cryptocurrency Monero by utilizing the system's CPU power. The malware also creates a scheduled task for the system where it will start the malicious file each time the system starts. While the main purpose of this malware is for mining Monero, creating an administrator account and opening up RDP over port 3389 is an indication that future attacks may come once the system is exploited.

Reporting and Technical Details

  • April 2018: Python-Based Malware Uses NSA Exploit to Propagate Monero (XMR) Miner. (FortiGuard)