PyRoMineIoT is a cryptocurrency-mining malware recently discovered by Fortinet researchers spreading via malicious website disguised as a security update for the victim's internet browser. Contained on the fraudulent website is a downloadable file that contains a downloader agent written in C#. When this file is executed, it downloads more components, including an IoT scanner, ChromePass functionality, the ETERNALROMANCE exploit, and the XMRig Monero miner. The ETERNALROMANCE exploit is used against the SMBv1 vulnerability to spread the malware to targets with the protocol running on ports exposed to the internet. The legitimate software "ChromePass" is used to collect credentials from the Chrome browser, which are saves to an XML file and uploaded to DriveHQ’s cloud storage service. The IoT device scanner component scans for devices in Iran and Saudi Arabia with the login credentials “admin” for both username and password and saves the IPs of the vulnerable device to the malware's C2 server to retrieve later. Lastly, PyRoMineIoT installs XMRig, a software that mines the cryptocurrency Monero by utilizing a system’s CPU power, onto victim machines.

Reporting and Technical Details:

  • June 2018: PyRoMineIoT: NSA Exploit, Monero(XMR) Miner, & IoT Device Scanner. (Fortinet)

Image Source: Fortinet